[PHPBB3-15984] Use of 'Cache-Control: public' for serving files

XML

Word

Printable

Details

Type: Security Issue
Status: Unverified Fix (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2.5
Fix Version/s: 3.2.8-RC1
Component/s: Attachments
Labels:
None

Description

In inlcludes/functions_download.php on line 199 and line 454 the Cache-Control is set to public.

header('Cache-Control: public');

A proxy service may cache a file in private forums or PM's giving access to someone who does not have access. Minimally this should be set to private. Ideally to leverage a public cache files that can be viewed by the anonymous user could be set to public and set all others to private.

Attachments

Activity

People

Assignee:: Senky

Reporter:: thecoalman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Mar/19 12:29 PM

Updated:: 17/Jun/19 8:25 AM

Resolved:: 17/Jun/19 8:25 AM