starred/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager.git synced 2026-04-26 10:55:56 +03:00
Code Issues 253 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #255] Anyone can see any file without login #183

New issue
Closed
opened 2026-03-02 15:56:33 +03:00 by kerem · 9 comments
kerem commented 2026-03-02 15:56:33 +03:00
Owner
Copy link

Originally created by @zkrx on GitHub (Nov 20, 2019).
Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/255

I don't understand. It seems that if you guess the file path, you can access any file without logging in, even with auth enabled, rendering it useless.

For example, type in the address bar:
https://your.host/path/to/picture1.jpg

and you will get access to picture1.jpg, without having to login.

What am I missing? People really want to expose all their data to the outside world?

Originally created by @zkrx on GitHub (Nov 20, 2019). Original GitHub issue: https://github.com/prasathmani/tinyfilemanager/issues/255 I don't understand. It seems that if you guess the file path, you can access any file without logging in, even with auth enabled, rendering it useless. For example, type in the address bar: https://your.host/path/to/picture1.jpg and you will get access to picture1.jpg, without having to login. What am I missing? People really want to expose all their data to the outside world?
kerem 2026-03-02 15:56:33 +03:00
kerem commented 2026-03-02 15:56:34 +03:00
Author
Owner
Copy link

@prasathmani commented on GitHub (Nov 21, 2019):

It is just file manager tool to manage files, it not security tool to protect files in the server, anyone can access files from a server if they know the file path, nothing can do with tinyfilemanager and tinyfilemanager is fully private until you will share with the outside world. if you know better, feel free to contribute @zkrx .

<!-- gh-comment-id:556923004 --> @prasathmani commented on GitHub (Nov 21, 2019): It is just file manager tool to manage files, it not security tool to protect files in the server, anyone can access files from a server if they know the file path, nothing can do with tinyfilemanager and tinyfilemanager is fully private until you will share with the outside world. if you know better, feel free to contribute @zkrx .
kerem commented 2026-03-02 15:56:34 +03:00
Author
Owner
Copy link

@zkrx commented on GitHub (Nov 21, 2019):

I feel like you should at least warn users in the documentation. You're advertising a false sense of security with the authentication feature. I'm sure that many people use this application to access their files from the outside, perhaps without knowing that their data is public.

Besides, while I'm no PHP expert, I don't believe that this has nothing to do with tinyfilemanager. You could (and should IMO) definitely handle this case in the PHP code.

Again, I hardly do any PHP. But one could start by checking the $_SESSION token before giving access to any file. I'm sure that there's plenty of information available on the topic.

<!-- gh-comment-id:556941014 --> @zkrx commented on GitHub (Nov 21, 2019): I feel like you should at least warn users in the documentation. You're advertising a false sense of security with the authentication feature. I'm sure that many people use this application to access their files from the outside, perhaps without knowing that their data is public. Besides, while I'm no PHP expert, I don't believe that this has nothing to do with tinyfilemanager. You could (and should IMO) definitely handle this case in the PHP code. Again, I hardly do any PHP. But one could start by checking the $_SESSION token before giving access to any file. I'm sure that there's plenty of information available on the topic.
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@andrewlytvyn commented on GitHub (Nov 21, 2019):

Without having login and knowing path to file you only have read acces

<!-- gh-comment-id:556970720 --> @andrewlytvyn commented on GitHub (Nov 21, 2019): Without having login and knowing path to file you only have read acces
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@EV-soft commented on GitHub (Nov 21, 2019):

Suggested Note:
"Please be aware that the TinyFile Manager access system only protects access to the application. To block files from public access, do so in the web server's file system! (.htaccess)"

<!-- gh-comment-id:556971329 --> @EV-soft commented on GitHub (Nov 21, 2019): Suggested Note: "Please be aware that the TinyFile Manager access system only protects access to the application. To block files from public access, do so in the web server's file system! (.htaccess)"
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@joglomedia commented on GitHub (Nov 26, 2019):

move your storage path outside the public_html (usually)

<!-- gh-comment-id:558715252 --> @joglomedia commented on GitHub (Nov 26, 2019): move your storage path outside the public_html (usually)
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@etnx commented on GitHub (Dec 23, 2019):

move your storage path outside the public_html (usually)

To be more specific, you need to modify this line like this (line 72):

$root_path = '/my-secret-folder/not-in-public_html/';

Note: Root url for links in file manager won't work anymore. Maybe you should remove these from the front-end (line 1799 and 1853):

<a title="<?php echo lng('DirectLink')?>" href="<?php echo fm_enc(FM_ROOT_URL . (FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $f . '/') ?>" target="_blank"><i class="fa fa-link" aria-hidden="true"></i></a>
...
<a title="<?php echo lng('DirectLink') ?>" href="<?php echo fm_enc(FM_ROOT_URL . (FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $f) ?>" target="_blank"><i class="fa fa-link"></i></a>

<!-- gh-comment-id:568497829 --> @etnx commented on GitHub (Dec 23, 2019): > move your storage path outside the public_html (usually) To be more specific, you need to modify this line like this (line 72): `$root_path = '/my-secret-folder/not-in-public_html/';` Note: Root url for links in file manager won't work anymore. Maybe you should remove these from the front-end (line 1799 and 1853): `<a title="<?php echo lng('DirectLink')?>" href="<?php echo fm_enc(FM_ROOT_URL . (FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $f . '/') ?>" target="_blank"><i class="fa fa-link" aria-hidden="true"></i></a>` ... `<a title="<?php echo lng('DirectLink') ?>" href="<?php echo fm_enc(FM_ROOT_URL . (FM_PATH != '' ? '/' . FM_PATH : '') . '/' . $f) ?>" target="_blank"><i class="fa fa-link"></i></a>`
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@alecos71 commented on GitHub (Dec 29, 2019):

If you need to protect files and folders into your web site and you can use Apache Web Server, (php is mandatory) I suggest you my application script:

https://www.alecos.it/download_eng.php#ApacheHT

Usage is simple: upload into your website folder and then run it into your web browser.

Don't use special characters since Apache cannot store them into htpasswd. But you can think a very complex user and password.

Merry Christmas and Happy New Year!

<!-- gh-comment-id:569489656 --> @alecos71 commented on GitHub (Dec 29, 2019): If you need to **protect** files and folders into your web site and you can use **Apache Web Server**, (php is mandatory) I suggest you my application script: https://www.alecos.it/download_eng.php#ApacheHT Usage is simple: **upload** into your website folder and then **run** it into your web browser. Don't use special characters since **Apache** cannot store them into **htpasswd**. But you can think a very complex user and password. **_Merry Christmas and Happy New Year!_**
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@piratetub commented on GitHub (Mar 10, 2020):

Shouldn't this issue be closed?

<!-- gh-comment-id:597176517 --> @piratetub commented on GitHub (Mar 10, 2020): Shouldn't this issue be closed?
kerem commented 2026-03-02 15:56:35 +03:00
Author
Owner
Copy link

@ririko5834 commented on GitHub (Nov 5, 2024):

Hello, does anyone know of a more secure alternative to TinyFileManager? I thought that you can't access files without logging in, it should be definitely protected so that only if the session cookie is valid you can browse the file. Then there should be an option share where you could generate a sharing link for a file or a folder and with that link also people who are not logged in could view/download that single folder/file. It shouldn't be possible to access file by guessing the path, its not secure.

<!-- gh-comment-id:2457871598 --> @ririko5834 commented on GitHub (Nov 5, 2024): Hello, does anyone know of a more secure alternative to TinyFileManager? I thought that you can't access files without logging in, it should be definitely protected so that only if the session cookie is valid you can browse the file. Then there should be an option share where you could generate a sharing link for a file or a folder and with that link also people who are not logged in could view/download that single folder/file. It shouldn't be possible to access file by guessing the path, its not secure.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
prasathmani-patch-1
offline
add-license-1
2.6
2.5.3
2.5.0
2.4.7
2.4.3
2.4.1
2.4.0
2.3.8
2.3.4
2.3
2.2.0
2.0.2
2.0.1
Labels
Clear labels   
Feature

   
Feature

   
Is It Really an Issue?

   
Need More Info

   
Request

   
Security

   
bug

   
duplicate

   
enhancement

   
enhancement

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
suggestion

   
wontfix
No labels
Feature
Feature
Is It Really an Issue?
Need More Info
Request
Security
bug
duplicate
enhancement
enhancement
help wanted
invalid
pull-request
question
suggestion
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/tinyfilemanager#183
No description provided.