Hi folks. I just started using CKFinder (ASP.NET) and I have a concern.
It is with the "View" context menu item. It appears to be opening a new browser with a URL referring directly to the file on the server. This seems like a major security flaw to me, as it would then be very easy for a user to guess the URLs of other files and access them directly through the browser, circumventing the CKFinder control entirely.
I get around this by blocking anonymous access to the file directories. I can't imagine using the CKFinder ACL features without taking that precaution. But it renders the "View" menu item useless, as the request for the original document is (rightfully) blocked.
Ideally, the "View" menu item should copy the contents of the file to an http response, just like the "Download" item appears to do, except the content-disposition should be inline instead of attachment. Then the user will be able to view files in protected directories, in accordance with the CKFinder's ACL, but won't be able to get at other users' files.
I can use the "SelectFunction" property to redirect to a url that will safely view a file when double-clicked, so I can manage without the "View" item. Is there a way to remove the "View" item from the context menu without rebuilding the control?
Thanks
Mon, 02/08/2010 - 10:35
#1
Re: Circumventing ACL: "View" context menu item unsafe
Re: Circumventing ACL: "View" context menu item unsafe
However, it would still be nice to be able to control which items show up in the context menu. Right now, in my implementation, "View" and "Select" do exactly the same thing. I tweaked the source code a bit so that the "View" item calls my script instead of accessing the URL directly. I like your idea about setting the BaseURL better, but that'll still leave both the "View" and "Select" items doing the same thing. I would really like to see some kind of option in the config file that selects which menu items you want visible.
Or, just as good, have the option to have a double-click trigger the "View" action instead of calling a SelectFunction. Since viewing is the most common result of a double-click, that would release the developer from the need to provide a SelectFunction and would also eliminate having a redundant menu item when the developer chooses to implement the common scenario of a double-click View.
Thanks again.
Re: Circumventing ACL: "View" context menu item unsafe
Of course, depending on how you are using CKFinder your needs will be different, in the future it will be possible to control better the toolbar and context menus, including the option to add your own items or hide existing ones.
Re: Circumventing ACL: "View" context menu item unsafe
Re: Circumventing ACL: "View" context menu item unsafe
My worry, though, is that even though it works, that's mainly due to browser leniency, and it's still not technically correct. Shouldn't the URL be URLEncoded when you select "View"?
Sadly, in my scenario, that still wouldn't be enough. For example, here is my BaseURL:
BaseUrl = "/owner/showdoc.aspx?file="
The problem here is that for the final URL to be correct in this scenario, the part after the BaseURL has to be encodeURIComponent encoded, because the slashes need to be escaped, since the remainder of the URL is simply a parameter to the main URL. But there is no way for CKFinder to know this with its current configuration scheme. By having simply a "BaseURL" and concatenating the file path to the end of it, the programmer's options are far more limited than if there was a more customizable scheme for mapping file paths to URLs.
Re: Circumventing ACL: "View" context menu item unsafe