Developer forum

Forum » CMS - Standard features » Can access files in SecureFolder when not correct permissions

Can access files in SecureFolder when not correct permissions

Brian Bolks
Reply

Hi,

It seems theres a bug in the secure folder feature.

I used the following url to test

/Admin/Public/DWSDownload.aspx?File=/Files/Files/SecureFiles/pdf/test.pdf

if i call it it gives me a message: You do not have permission to view this directory or page.

thats correct. But if change the casing in the url somewhere in the RED part: /Admin/Public/DWSDownload.aspx?File=/Files/Files/SecureFiles/pdf/test.pdf  i can download the files just fine. So i suspect somewhere somebody forgot to check for case insensitive.

Might be HIGH prio bug if used with files that should only be accessible for certain people


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Hi Brian

We will test it. Are you using the new permissions or old ones, And what version?

Thank you for clarifying, Nicolai

 
Oleg Rodionov Dynamicweb Employee
Oleg Rodionov
Reply

Hi

Wow, good catch! I was able to reproduce the issue with new permission model only on last DW9.10.15 as well. I've created new BUG 5183 against the issue, it's planned to fix in upcoming release. Thanks for finding!

BR, Oleg QA

 
Kristian Kirkholt Dynamicweb Employee
Kristian Kirkholt
Reply
This post has been marked as an answer

Hi Brian

The bugfix #5183 URL to Secure Folder is case sensitive 

Has been fixed in Dynamicweb version 9.10.17 
You can get this version from the download section https://doc.dynamicweb.com/downloads/releases

Please contact support@dynamicweb.dk if there any questions regarding this

Kind Regards
Dynamicweb Support
Kristian Kirkholt

Votes for this answer: 1

 

You must be logged in to post in the forum