When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 (commit 860c19d).
Share creation (http/share.go:21-29) correctly checks permissions:
func withPermShare(fn handleFunc) handleFunc {
return withUser(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
if !d.user.Perm.Share || !d.user.Perm.Download {
return http.StatusForbidden, nil
}
return fn(w, r, d)
})
}
But share access (http/public.go:18-87, withHashFile) does not:
var withHashFile = func(fn handleFunc) handleFunc {
return func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
link, err := d.store.Share.GetByHash(id) // line 21: checks share exists
authenticateShareRequest(r, link) // line 26: checks password
user, err := d.store.Users.Get(...) // line 31: checks user exists
d.user = user // line 36: sets user
file, err := files.NewFileInfo(...) // line 38: gets file
// MISSING: no check for d.user.Perm.Share or d.user.Perm.Download
}
}
# Step 1: Login as admin
TOKEN=$(curl -s -X POST http://localhost:18080/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"<admin-password>"}')
# Step 2: Create testuser with Share+Download permissions
curl -X POST http://localhost:18080/api/users \
-H "X-Auth: $TOKEN" -H "Content-Type: application/json" \
-d '{"what":"user","which":[],"current_password":"<admin-password>",...
2.63.1Exploitability
AV:NAC:LAT:PPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N8.2/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N