Access to Files through restriction


#1

Files that have been uploaded to /phabricator/files and restricted to be only visible to Administrators can be accessed by normal users by calling them in a wiki article through their id.

How to reproduce:

  1. Create an image file on your computer
  2. Go to your phabricator/files/
  3. Upload file and restrict access to “Administrator”. The file now has the unique ID F1234.
  4. Switch to user with non-Administrator access
  5. Use new user to create a new wiki article
  6. Access file by using {F1234}
  7. A preview of the file will be shown in the wiki article

Because files have continuous IDs it’s very easy for normal users to spot “holes” in the files they have access to and they can then circumvent the restriction by embedding the file somewhere.


#2

No, they can’t.


#3