.DS_Store file in media directory


Seafile Pro 9.0.16 on CentOS.

Our security scanner warned me about a publicly accessible file “.DS_Store” in the media directory
I found out, that the file is included in the seafile download package:

# tar -tvzf seafile-pro-server_9.0.16_x86-64_CentOS.tar.gz seafile-pro-server-9.0.16/seahub/media
-rw-r--r-- root/root      8196 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/media/.DS_Store

Not only in the latest, but also in the releases before 9.0.16. Could you try to delete those files before zipping the package?


Well, there’s a second file under
-rw-r--r-- root/root 14340 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/seahub/.DS_Store

Yes, it should be removed but it’s not security risk for Seafile. Whole folder media is public, so it cannot expose any secret. seahub is not or should not be exposed and have read perms for public. seahub folder doesn’t contains any config files, so again with all of it, nobody can use it, cause they only find what is already public or what is already on Githhub :slight_smile:

Yes, I know that it’s no risk. But our security team sent me a scan report and I had to delete the file. I did this in the previous seafile version, but after the last update, the file appeared again. So I wrote this topic.