.DS_Store file in media directory

uosseafile · May 8, 2023, 12:24pm

Hi,

Seafile Pro 9.0.16 on CentOS.

Our security scanner warned me about a publicly accessible file “.DS_Store” in the media directory
https://seafile.xyz/media/.DS_Store
I found out, that the file is included in the seafile download package:

# tar -tvzf seafile-pro-server_9.0.16_x86-64_CentOS.tar.gz seafile-pro-server-9.0.16/seahub/media
...
-rw-r--r-- root/root      8196 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/media/.DS_Store

Not only in the latest, but also in the releases before 9.0.16. Could you try to delete those files before zipping the package?

Thanks,
Dirk

uosseafile · May 8, 2023, 12:33pm

Well, there’s a second file under
-rw-r--r-- root/root 14340 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/seahub/.DS_Store

holantomas · May 9, 2023, 3:26pm

Yes, it should be removed but it’s not security risk for Seafile. Whole folder media is public, so it cannot expose any secret. seahub is not or should not be exposed and have read perms for public. seahub folder doesn’t contains any config files, so again with all of it, nobody can use it, cause they only find what is already public or what is already on Githhub

uosseafile · May 10, 2023, 7:04am

Yes, I know that it’s no risk. But our security team sent me a scan report and I had to delete the file. I did this in the previous seafile version, but after the last update, the file appeared again. So I wrote this topic.

Dirk