Security issue with image widgets


#1

I went to test out some functionality with the new image widget.

I uploaded my image into the widget, then went to check on the load URL for the image in the widget. It was of the format https://s3.amazonaws.com/ubi-files/<filename>.

This is not namespaced! I was able to easily guess another user’s image filename and see that image.

Then, I was able to upload a file with the same name to my own dashboard and overwrite that user’s image. I’m sure this affected their dashboard. It was not my intention to do any damage, just to test.

Please fix this!


#2

Hi there, thanks for the report. I have just shared it with the dev team in order to solve it.

All the best


#3

Hi there, we have released a patch to create an unique id per image uploaded using the widget, thanks for your report and feedback.

All the best


#4

Thanks, behavior looks good now.