nicoeri/filebrowser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
aa0338a1c4
filebrowser/frontend
History
wx-11-ot aa0338a1c4 feat: secure direct download links - only show for password-free shares 
SECURITY: Fix potential password bypass vulnerability by:

Frontend changes:
- Add password_hash field to Share interface
- Only show direct download button for single files without password protection
- Update hasDownloadLink() to check both file type and password status

Backend changes:
- Remove token-based authentication bypass for password-protected shares
- Enforce password authentication for all protected shares, even with valid tokens
- Add security comments explaining the rationale

This ensures that password-protected shares cannot be accessed via direct
download links, closing the security vulnerability while preserving the
convenience of direct downloads for public shares.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-07 20:49:55 +08:00
..
dist refactor: migrate frontend tooling to vite 4 (#2645) 2023-08-26 13:55:51 +02:00
public feat: update icons, remove deprecated Microsoft Tiles 2025-07-02 08:33:12 +02:00
src feat: secure direct download links - only show for password-free shares 2025-08-07 20:49:55 +08:00
tests feat: migrate to vue 3 (#2689) 2024-04-01 17:18:22 +02:00
tests-examples feat: migrate to vue 3 (#2689) 2024-04-01 17:18:22 +02:00
.prettierignore refactor: Fix eslint warnings (#3698) 2025-01-30 10:18:48 +01:00
.prettierrc.json refactor: migrate frontend tooling to vite 4 (#2645) 2023-08-26 13:55:51 +02:00
assets_dev.go chore: add make fmt target 2021-12-20 22:39:00 +01:00
assets.go chore: add make fmt target 2021-12-20 22:39:00 +01:00
env.d.ts build: update to node 22 and pnpm (#3616) 2024-12-09 12:27:18 +01:00
eslint.config.js chore: update minor dependencies (#5295) 2025-07-15 20:02:06 +02:00
index.html feat: update icons, remove deprecated Microsoft Tiles 2025-07-02 08:33:12 +02:00
package.json build(deps): bump vue-i18n from 11.1.9 to 11.1.10 in /frontend 2025-07-17 06:49:33 +02:00
playwright.config.ts feat: migrate to vue 3 (#2689) 2024-04-01 17:18:22 +02:00
pnpm-lock.yaml build(deps): bump vue-i18n from 11.1.9 to 11.1.10 in /frontend 2025-07-17 06:49:33 +02:00
postcss.config.cjs refactor: migrate frontend tooling to vite 4 (#2645) 2023-08-26 13:55:51 +02:00
tsconfig.app.json build: update to node 22 and pnpm (#3616) 2024-12-09 12:27:18 +01:00
tsconfig.json build: update to node 22 and pnpm (#3616) 2024-12-09 12:27:18 +01:00
tsconfig.node.json build: update to node 22 and pnpm (#3616) 2024-12-09 12:27:18 +01:00
tsconfig.tsc.json feat: select item on file list after navigating back (#5329) 2025-07-27 13:03:00 +02:00
vite.config.ts feat: migrate to vue 3 (#2689) 2024-04-01 17:18:22 +02:00