Hi,
Seafile Pro 9.0.16 on CentOS.
Our security scanner warned me about a publicly accessible file “.DS_Store” in the media directory
https://seafile.xyz/media/.DS_Store
I found out, that the file is included in the seafile download package:
# tar -tvzf seafile-pro-server_9.0.16_x86-64_CentOS.tar.gz seafile-pro-server-9.0.16/seahub/media
...
-rw-r--r-- root/root 8196 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/media/.DS_Store
Not only in the latest, but also in the releases before 9.0.16. Could you try to delete those files before zipping the package?
Thanks,
Dirk
Well, there’s a second file under
-rw-r--r-- root/root 14340 2021-10-20 11:59 seafile-pro-server-9.0.16/seahub/seahub/.DS_Store
Yes, it should be removed but it’s not security risk for Seafile. Whole folder media
is public, so it cannot expose any secret. seahub
is not or should not be exposed and have read perms for public. seahub
folder doesn’t contains any config files, so again with all of it, nobody can use it, cause they only find what is already public or what is already on Githhub
Yes, I know that it’s no risk. But our security team sent me a scan report and I had to delete the file. I did this in the previous seafile version, but after the last update, the file appeared again. So I wrote this topic.
Dirk