Security

[mvldebian]

How to protect the directory for access without authentication?
If you enter the full URL in the browser even without being authenticated, you can get the file in the temp folder.

Example: https://webmail.example.com.br/plugins/cloudview/temp/1/xxxxxxxxx.xlsx

Any additional configuration in the directory?
I understand that it needs to be public so that Office or Google can upload the file, the problem is to keep these files in the directory accessible.

[jfcherng]

It's logically conflicting. There is no different between the Office/Google agent and an anonymous person.

As long as you are not turning on the "directory listing" feature on your server (apache/nginx etc), I don't think files under the plugins/cloudview/temp/ directory can be "guessed". But there do is a concern that, if the authorized user uses a malware browser, the browser may log/leak the URL.

---

I force adding an index.html in every directory via

plugin-cloudview/cloudview.php

Lines 340 to 341 in a757d91

	// put an index.html to prevent from potential directory traversal
	@\file_put_contents("{$tempDir}/index.html", '', \LOCK_EX);

---

The filename at this moment is purely md5 hash of the file

plugin-cloudview/cloudview.php

Lines 355 to 362 in a757d91

	private function getAttachmentTempPath(Attachment $attachment): string
	{
	$fileExt = \strtolower(\pathinfo($attachment->getFilename(), \PATHINFO_EXTENSION));
	$fileDotExt = $fileExt ? ".{$fileExt}" : '';
	$fileBaseName = \hash('md5', (string) $attachment);
	return $this->url("temp/{$this->rcmail->user->ID}/{$fileBaseName}{$fileDotExt}");
	}

If it can be guessed, it could possible be that some information of that file had been leaked somewhere else already.