Accessing attachments from the domain only

  • Rino

    (@torinotorino)


    3 years, 9 months ago

    Links to attached files are in the following format:

    https://www.example.com/?wpsc_attachment=1&tid=1&tac=9bNVzXo6kd

    Links to inline images are in the following format:

    https://www.example.com/?wpsc_img_attachment=1

    If I paste these links in my browser I get served with the image and the attachment, without being logged in.

    I want to prevent people from accessing these attachments from outside my domain, i.e. I only want them to be accessible to customers and agents if they click on the links from the ticket view.

    This is a big privacy/security concern for me. I don’t really want the attachments and images being accessible from notification emails either. I don’t want anyone fishing for what images and files may have been attached to tickets.

    Am I concluding correctly that SupportCandy does not check if a user is logged in (or what privileges it has) before returning images and attachments?

    Can you suggest some ways as to how to prevent both direct and non-logged-in access? An option I’m thinking of might be to use this in .htaccess:

    RewriteCond %{HTTP_REFERER} !^https://www\.example\.com/ [NC]
    RewriteCond %{QUERY_STRING} ^wpsc_attachment=([0-9]+) [NC,OR]
    RewriteCond %{QUERY_STRING} ^wpsc_img_attachment=([0-9]+) [NC]
    RewriteRule (.*) - [R=404]

    If you have some suggestions for some better rules above, please let me know!

    Cheers

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author SupportCandy

    (@supportcandy)

    Hello there,

    This is a known issue and we will be fixing this in our next major release 3.0 which may be available within a couple of months.

    Request you to wait until then.

    I think the so called “major” release has been on a couple of months moving target for the past of at least 6 months!

    I recognize that this project is on as time permits development schedule with very little $$$ support in terms of license fee or sponsorship. However, lately I have noticed more and more users using the software yet few seems to be willing to pay for it. That is really not helpful to the development team. I encourage all those users who keep asking for features or customization etc. would consider paying and support the development so we can see the new 3.0 release in this life time!

    Plugin Author SupportCandy

    (@supportcandy)

    Hello @ezblue

    Well yes, it is true that it has been stretched so long. The reason behind this is during the pandemic time, we got some trouble finding time to spend on active development.

    Things are back on track nowadays and hopefully, we’ll manage to meet the deadlines.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Accessing attachments from the domain only’ is closed to new replies.