[Security Bug] Password protection can be bypassed with direkt link, even if share link is removed

Hey there

The direct link to a file shared via password protected share-link can be accessed without a password.
Not the https://cloud.whatever/f/whatever but the https://cloud.whatever/seafhttp/files/someid/whatever.name link.
Even if you remove the share link, the direct link still allows download.
(even deleting the file does not help, not even clearing the trash)

This should be looked at.

Using latest server version.

1 Like

Does this also work If you are not logged into your seafile account?

The temporary direct link will be valid for 24 hours.

Yes it does, it is a direct link to a file which bypasses any type of auth and can be curl-ed for example.

Yeah, any chance you can fix that please?

1 Like