Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15984

Use of 'Cache-Control: public' for serving files

    Details

    • Type: Security Issue
    • Status: Unverified Fix (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.5
    • Fix Version/s: 3.2.8-RC1
    • Component/s: Attachments
    • Labels:
      None

      Description

      In inlcludes/functions_download.php on line 199 and line 454 the Cache-Control is set to public.

      header('Cache-Control: public');
      

      A proxy service may cache a file in private forums or PM's giving access to someone who does not have access. Minimally this should be set to private. Ideally to leverage a public cache files that can be viewed by the anonymous user could be set to public and set all others to private.

        Attachments

          Activity

            People

            • Assignee:
              Senky Senky
              Reporter:
              thecoalman thecoalman
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: