Try the fastest and simplest way to install ONLYOFFICE

Document Server Security and setHistoryData()

Integration questions/issues

Document Server Security and setHistoryData()

Postby AndrewG » Sat May 13, 2017 9:10 am

Hi OnlyOffice Team,

So we have implemented document changes history tracking according to the documentation, and faced with the following security issue with the setHistoryData() method:
1) Please, recall this doc: https://api.onlyoffice.com/editors/methods#setHistoryData
2) The main concern is re property: "changesUrl": "http://example.com/url-to-changes.zip"

Looks like request to the given URL ("http://example.com/url-to-changes.zip" in example above) goes absolutely without any authorization or tokens, and is sent on behalf of end-user browser.
This means that "Document Storage Server" implementation should allow file downloads via this url absolutely without authentication, and in case end-user smart enough - he could guess url for other files and got them downloaded as well.

Can you please provide some clarification on the mentioned issue and guide us in case something were missed by us!

Thank you in advance for quick response!
--
Best regards,
Andrew
User avatar
AndrewG
 
Posts: 16
Joined: Sat May 06, 2017 3:09 am

Re: Document Server Security and setHistoryData()

Postby Maxim » Mon May 15, 2017 12:26 pm

Hello AndrewG!
We plan to use JWT in future releases, but now you can perform your authentication, because request to changesUrl is executed from browser.
Maxim
 
Posts: 1077
Joined: Tue Oct 11, 2016 2:34 pm

Re: Document Server Security and setHistoryData()

Postby AndrewG » Mon May 15, 2017 2:39 pm

Hi Maxim,

okay, thank you! ...just would like to make sure that we didn't miss some details here.

Indeed, we have implemented tokens for signing url for getting changes document, so url to changes doc is signed with secret and ttl (time-to-live) keys and added as get param to the original url.

Works like a charm!
--
Best regards,
Andrew
User avatar
AndrewG
 
Posts: 16
Joined: Sat May 06, 2017 3:09 am

Re: Document Server Security and setHistoryData()

Postby Maxim » Tue May 16, 2017 7:22 am

Hello AndrewG!
It looks OK!
Maxim
 
Posts: 1077
Joined: Tue Oct 11, 2016 2:34 pm


Return to API

Who is online

Users browsing this forum: No registered users and 1 guest

cron