Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Should we switch to STORAGE_TYPE=local_secure in .env?

Scheduled Pinned Locked Moved BookStack
2 Posts 2 Posters 262 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • luckowL Offline
    luckowL Offline
    luckow translator
    wrote on last edited by girish
    #1

    The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
    With STORAGE_TYPE=local_secure in the .env file every upload goes to storage/uploads/images.
    A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-images

    What is your opinion on this topic?

    Pronouns: he/him | Primary language: German

    girishG 1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to luckow on last edited by
    #2

    @luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.

    The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.

    I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.