Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Files served at url are visible to anonymous users

See original GitHub issue

Describe the bug User uploaded file viewer is wrapped in @login_required, but somehow both anonymous users and other users can see that users file.

To Reproduce Steps to reproduce the behavior:

Upload file “X.pdf” as user Y
Logout
As anonymous user, browse to show/X.pdf
File is visible or
As a different user, browse to show/X.pdf
File is visible

Expected behavior I expect to be redirected to my login view when an anonymous person tries to go to this address.

Desktop (please complete the following information):

OS: MacOS, iOS
Browser Safari & firefox
Version Latest

Additional context Code

@app.route('/show/<filename>')
@login_required
def show(filename: str) -> Union[Response, str]:
    filename = secure_filename(filename)  # clean user input
    user_dir = os.path.join(app.config['UPLOAD_FOLDER'], current_user.uuid)
    if os.path.exists(os.path.join(user_dir, filename)):
        return send_from_directory(directory=user_dir, filename=filename)
    else:
        abort(404)

I honestly have no clue how this is happening. Each user has a unique uuid that acts as a unique directory where their files get stored to disk.

My bug might come from a misunderstanding of how cookies and session data are stored here. It might be relevant that I am accessing these file urls shortly after being logged in as the correct user that owns the files.

Issue Analytics

State:
Created 4 years ago
Comments:6

Top GitHub Comments

1reaction

elamjecommented, Oct 9, 2019

@ndavison Thanks for the detailed responses. After the entire day, I discovered what my problem was, and I’m sad to say it, was Cloudflare caching production. I was so confident I was thinking of every part of my stack, but I forgot about how aggressive Cloudflare caches content (images in this case).

I believe I was reproducing the issue locally because my browser was caching the results, but I’m going to look into it more.

Thanks again!

1reaction

ndavisoncommented, Oct 8, 2019

What does your @login_manager.user_loader callback look like? As your comment above shows, the _id is sticky (looks like this will be fixed in the next major release https://github.com/maxcountryman/flask-login/pull/436) so if you’re using this for any sort of logic in loading the user from the cookie and session, it may be causing an issue.

In the /show/x route, which current_user id, name etc does it think is logged in when you’re experiencing the issue?

FYI, unrelated but based on your comment above, you’ll need to clear the CSRF token on login as otherwise it too is prone to session fixation issues - the attack could be an anonymous user generates a session with a CSRF token they know, somehow gives this session to another user (using some other vulnerability, like response header injection), this other user elevates the session into an authenticated one, and therefore the attacker knows this authenticated user’s CSRF token.