Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private data is publicly visible at /uploaded/layers #2896

Closed
jondoig opened this issue Feb 9, 2017 · 4 comments
Closed

Private data is publicly visible at /uploaded/layers #2896

jondoig opened this issue Feb 9, 2017 · 4 comments

Comments

@jondoig
Copy link
Contributor

jondoig commented Feb 9, 2017
edited
Loading

In Geonode 2.4, all uploaded data can be listed and downloaded from http://<host>/uploaded/layers regardless of security permissions.

This seems to be by design. The installation doco says to make it all wide open:

sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/thumbs
sudo chmod -Rf 777 /home/geonode/geonode/geonode/uploaded/layers

Removing ‘other’ permission (chmod 770) breaks the upload function.
@jondoig jondoig mentioned this issue Feb 9, 2017
Closed
@jondoig
Copy link
Contributor Author

jondoig commented Feb 9, 2017
edited
Loading

At least we can make it a bit harder by denying directory listing in the Apache config. I.e. change the installation doco from:

    <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
        Order allow,deny
        Options Indexes FollowSymLinks
        Allow from all
        Require all granted
        IndexOptions FancyIndexing
    </Directory>

to

    <Directory "/home/geonode/geonode/geonode/uploaded/layers/">
        Order allow,deny
        Options -Indexes +FollowSymLinks
        Allow from all
        Require all granted
    </Directory>

(...and same for the other directories configured there.)

But it's still not hard to infer the actual filenames (if just the metadata is visible) and download them without listing the directory.

@simod
Copy link
Member

simod commented Feb 9, 2017

Hi, the uploaded/layers directory doesn't have to be served by apache, it only needs write permissions. Thumbs on the other hands need to be publicly available. If the doc says that uploaded has to be served then we need to fix it.

Thanks

jondoig pushed a commit to UNSW-CFRC/citydata-geonode-install that referenced this issue Feb 9, 2017
Removed uploaded/layers from Apache config
e02c9c9 
"The uploaded/layers directory doesn't have to be served by apache, it
only needs write permissions" - simod 2017-02--09
GeoNode/geonode#2896 (comment)
jondoig added a commit to jondoig/geonode that referenced this issue Feb 9, 2017
@jondoig
Removed uploaded/layers from Apache config
dbe2e1e 
"The uploaded/layers directory doesn't have to be served by apache, it only needs write permissions"
- @simod on GeoNode#2896

GeoNode#2896 (comment)
@jondoig jondoig mentioned this issue Feb 9, 2017
Merged
@jondoig
Copy link
Contributor Author

jondoig commented Feb 9, 2017

OK so I've made a pull request to fix the manual install doco, but the same change may be needed to other install methods ...Quick install? Ansible? Other?

@simod
Copy link
Member

simod commented Feb 10, 2017

Thanks I've also fixed it at package level see dedd939

@simod simod closed this as completed Feb 10, 2017
t-book pushed a commit to GeoNode/documentation that referenced this issue Feb 23, 2020
@jondoig
Removed uploaded/layers from Apache config
f537760 
"The uploaded/layers directory doesn't have to be served by apache, it only needs write permissions"
- @simod on #2896

GeoNode/geonode#2896 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simod @jondoig