Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15984

Use of 'Cache-Control: public' for serving files

    XMLWordPrintable

    Details

    • Type: Security Issue
    • Status: Unverified Fix (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.5
    • Fix Version/s: 3.2.8-RC1
    • Component/s: Attachments
    • Labels:
      None

      Description

      In inlcludes/functions_download.php on line 199 and line 454 the Cache-Control is set to public.

      header('Cache-Control: public');
      

      A proxy service may cache a file in private forums or PM's giving access to someone who does not have access. Minimally this should be set to private. Ideally to leverage a public cache files that can be viewed by the anonymous user could be set to public and set all others to private.

        Attachments

          Activity

            People

            Assignee:
            Senky Senky
            Reporter:
            thecoalman thecoalman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: