Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. BookStack
  3. Should we switch to STORAGE_TYPE=local_secure in .env?

Should we switch to STORAGE_TYPE=local_secure in .env?

Scheduled Pinned Locked Moved BookStack
2 Posts 2 Posters 802 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • luckowL Offline
    luckowL Offline
    luckow
    translator
    wrote on last edited by girish
    #1

    The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
    With STORAGE_TYPE=local_secure in the .env file every upload goes to storage/uploads/images.
    A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-images

    What is your opinion on this topic?

    Pronouns: he/him | Primary language: German

    girishG 1 Reply Last reply
    1
    • luckowL luckow

      The default configuration of BookStack does not secure uploads. If attackers knows the exact URL, they are able to download the file without authentication. That's the default in Cloudrons .env configuration.
      With STORAGE_TYPE=local_secure in the .env file every upload goes to storage/uploads/images.
      A migration to this new behavior is possible, but it cost lifetime. More info about the security settings -> bookstackapp.com/docs/admin/security/#securing-images

      What is your opinion on this topic?

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      @luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.

      The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.

      I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.

      1 Reply Last reply
      0
      Reply
      • Reply as topic
      Log in to reply
      • Oldest to Newest
      • Newest to Oldest
      • Most Votes


      • Login

      • Don't have an account? Register

      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Bookmarks
      • Search