Hello there!

I’m also @savvywolf@furry.engineer , and I have a website at https://www.savagewolf.org/ .

He/They

  • 0 Posts
  • 2 Comments
Joined 2 years ago
Cake day: June 27th, 2023
  • SavvyWolf@pawb.socialtoSelfhosted@lemmy.worldHere is a more polished release of nanogram. Fully compatible on raspberry pi now.English
    1·
    15 hours ago

    Had a quick skim and found this little guy:

    # ---------- Protected media route ----------
@app.route('/img/<path:name>')
@login_required
def media(name):
    db = SessionLocal()
    try:
        me = current_user(db)
        # Find the post with this image
        post = db.query(Post).filter_by(image_path=name).first()
        if post:
            # Check visibility
            can_view = post.user_id == me.id or db.query(UserVisibility).filter_by(
                owner_id=post.user_id, viewer_id=me.id
            ).first() is not None
            if not can_view:
                abort(403)
        return send_from_directory(UPLOAD_DIR, os.path.basename(name))
    finally:
        db.close()

    I’ve not read through everything, but there are some security concerns that jump out to me from just this function. Hopefully you can enlighten me on them.

    Firstly, what is stopping a logged in user from accessing any image that, for whatever reason, doesn’t have an associated post for it?

    Secondly, the return codes for “the image doesn’t exist” (404) and “the image exists but you can’t access it” (403) look to be different. This means that a logged in user can check whether a given filename (e.g. “epstien_and_trump_cuddling.jpg”) has been uploaded or not by any user.

    Both of these look to be pretty bad security issues, especially for a project touting its ability to protect from nationstates. Am I missing something?