Security issue: File URLs are easy to guess

[rimas-kudelis]

With the file urls like http://SERVER.TLD/file?id=123, it's very easy to see any file on the server: you just start with ?id=1, and keep incrementing the number for as long as you like. To me, it seems like quite a huge security issue.

To work this around, I suggest to use a different identifier for file queries. For example, storing file id as GUID, which is not incremental, might work well.

Also, I think it would be nice to be able to link to the file directly, if it's uploaded to a public place, although if the above were implemented, that would be enough.

[prabowomurti]

I have found some glitch that I can not resolve. After installing the extension, I configure the controllerMap as follow

'controllerMap' => [
        'file' => backend\controllers\FileController::class,
],

I am using yii2-advanced-template and only expose the backend application. I have my own FileController with accesscontrol. But, even if I remove completely the configuration above, it can still access the file (without authentication), means it has access to the \mdm\upload\FileController (?).

Update #0
I just realized it always load the Bootstrap class and set the controllerMap['file'] to \mdm\upload\FileController, no matter I set the controllerMap['file'] value.

    public function bootstrap($app)
    {
        if ($app instanceof \yii\web\Application) {
            $app->controllerMap['file'] = __NAMESPACE__ . '\FileController';

Do we need another param like disableFilePublicAccess?

<?php

namespace mdm\upload;

/**
 * Description of Bootstrap
 *
 * @author Misbahul D Munir <misbahuldmunir@gmail.com>
 * @since 1.0
 */
class Bootstrap implements \yii\base\BootstrapInterface
{

    public function bootstrap($app)
    {
        if (
            $app instanceof \yii\web\Application &&
            !($app->params['disableFilePublicAccess']) &&
            !isset($app->controllerMap['file'])
        ) {
            $app->controllerMap['file'] = __NAMESPACE__ . '\FileController';
        }
    }
}

What is your suggestion?

[prabowomurti]

@mdmunir I implemented a simple approach to generate the uuid field. prabowomurti@0776d6f

If you agree to implement it, I would love to ask for a PR. Thank you.