Hotlink prevention, security enhancement and feature addition via short url functionality
- Status
- Open
- Subject
- Hotlink prevention, security enhancement and feature addition via short url functionality
- Version
- 16.x
- Category
- Feature request
- Feature
- File Gallery (elFinder or standard UI)
- Resolution status
- New
- Submitted by
- Niel Hirjee
- Lastmod by
- Niel Hirjee
- Rating
- Description
Since the short Url feature is being added to Tiki, could it not be combined with file galleries such that a file in a gallery is linked or displayed by using a short Url instead of the file Id?
This will enhance security and add new functionality to Tiki. Currently the value of fileId is sequentially generated and is therefore predictable: visitors can easily scrape off files from a tiki install by using tiki_download and incrementing the value of fileId inside a loop. Additionally, files can be hotlinked.
To fortify tiki against this, all that needs to be done is to combine the new short Url functionality with file galleries: if plugin files is used with a parameter, say "mask" or "obfuscate", then the fileId will be substituted with a short code. For example, the user enters tiki-download_file.php?fileId=1 in the wiki text editor, just as before, but if the obfuscate="y" parameter is used then the html will show tiki-download_file.php?fileId=RandomShortURLhghhgfftrdfgnj
As an additional feature, if the duration (life / validity) of the short code can be user defined per gallery / file / plugin files parameter, then tiki-download_file.php?fileId=RandomShortURLhghhgfftrdfgnj will stop serving fileId=1 after that time. Tiki could then be made to serve content via perishable and non predictable file names - just like the big CDN companies such as Akamai do.
I imagine this would be fairly simple to implement and would add a very useful feature to Tiki.
For a simple implementation of this idea, see:
https://github.com/spatie/url-signer- Importance
- 2
- Easy to solve?
- 8
- Priority
- 16
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 6238
- Created
- Tuesday 10 January, 2017 21:56:49 GMT-0000
by Niel Hirjee - LastModif
- Thursday 02 February, 2017 12:23:05 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Browse Directory is broken
- Wiki argument variables, Documentation; The help tools of Tiki for Wiki argument variables redirect to the wrong page
- Plugin List, Wiki Argument Variables; Admin should see a warning when the Wiki Argument Variables is not enabled and he tries to use it.
- General, Navigation; Endless loop, too much redirect error, if a wiki page is the value of the option
- Tiki tag ~ hs ~ is lost on wiki page duplication
;){kind=link}
;){kind=link}