-
Type:
Security Issue
-
Status: Unverified Fix (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.2.5
-
Fix Version/s: 3.2.8-RC1
-
Component/s: Attachments
-
Labels:None
In inlcludes/functions_download.php on line 199 and line 454 the Cache-Control is set to public.
header('Cache-Control: public'); |
A proxy service may cache a file in private forums or PM's giving access to someone who does not have access. Minimally this should be set to private. Ideally to leverage a public cache files that can be viewed by the anonymous user could be set to public and set all others to private.