The picture link can read pictures without logins

Question

The picture link can read pictures without logins

ma-ruifeng opened this issue 6 months ago · comments

My post:

The Pic link can be readed without login

mawise · Answer 1 · Thu May 09 2024 09:54:54 GMT+0800 (China Standard Time)

Haven generates new image links each time a page loads. Those links contain temporary credentials which expire. The way an image could leak this way would be for someone with access to get a link, and give it to someone else immediately for the other person to use without delay. However in this case, the person with existing access could just as easily download the image and give it to someone else.

The link you pasted currently returns an error message:

<Code>AccessDenied</Code>
<Message>Request has expired</Message>

Thanks for being security focused, and please let me know if you think there is an issue with the approach I take here!