[BUG] Unauthorized user can access /conf.yml
Towerism opened this issue · comments
Environment
Self-Hosted (Docker)
System
Chrome 124.0.6367.201, Debian GNU/Linux 12 (bookworm), Docker 20.10.24+dfsg1 build 297e128
Version
3.1.0
Describe the problem
First of all, thanks for creating this product. It's a beautiful, easy to configure, easy to use dashboard that has made it a pleasure to organize my home network.
Now onto to the bug.
With the following settings:
appConfig.disableConfigurationForNonAdmin: true
appConfig.auth.enableGuestAccess: false
an unauthorized user can access /conf.yml and view the entire config. This seems like a security flaw. Unauthorized users should be denied access to /conf.yml.
Additional info
No response
Please tick the boxes
- You have explained the issue clearly, and included all relevant info
- You are using a supported version of Dashy
- You've checked that this issue hasn't already been raised
- You've checked the docs and troubleshooting guide
- You agree to the code of conduct
Closed as duplicate of #668
Please look into the docs before creating a new issue; https://dashy.to/docs/authentication
It's explained here.
Also you can find a resolution, for example by adding http basic auth.
Also look at this:
#1579 (comment)