Forum Replies Created
I fully understand – my issue is that you clearly dont understand the issue – no matter how many times I explain it – with detailed use cases.
THE ISSUE ISN’T HIDING THE URL!!! THE ISSUE IS THAT THE DOWNLOAD URL – WHICH PROTECTS NON .EXE FILES WITH THE CORRECT FILE PERMISSIONS – ISNT DOING THE SAME FOR .EXE DOWNLOADS!!!!!!!
Can you please pass this issue over to a developer who has the skillset to resolve the bug please!! You do not understand the problem at all and keep palming me off with answers that are not relevant.
This is not a suitable solution – you’ve simply altered the configuration to hide the bug!!! Not really an acceptable solution given:
1) I need that to open in a new window – thats why that setting was in place …
2) The URL (and others containing the .exe bug) have already been made available …
Can you please pass this issue over to a developer who has the skillset to resolve the bug please. Security through obscurity is NOT a viable software engineering solution
https://en.wikipedia.org/wiki/Security_through_obscurity#Criticism
Use case
OK then please explain that when accessing this link – logged out – to a URL functions as intended – a permission denied .txt is served – respecting the permissions set against the package in the WPDM interface (.zip file in package)
And this does not (.exe file in package)
This has absolutely nothing to do with the masking of the URL – the issue would be present for both surely? The script/hook/process that intercepts the download – and prevents access to the file based on permissions – isn’t working for packages containing .exe files – highlighted by the very specific use case provided. It’s a bug – not a config issue – not a masking issue – a bug.
Can you please take a look
Hi there
This URL has the issue
To be clear
– The url should not be accessible / permit download if the user isn’t logged in (it currently can and shouldn’t)
– The bug seems to be for packages that contain .exe files only
Im not sure how much clearer I need to be
Regards
Mike
This is the masked HTML for the buggy .exe package – the file can be downloaded without any user role / direct
Its irrelevant whether its masked – accessing the link directly from either should prevent download if permissions are set
This is the masked HTML for a working .zip package – permission is denied unless logged in
BOTH packages require the user to have the ‘Subscriber’ role
The downloads are masked – heres a working version of .zip file
This only seems to effect files with the .exe extension
Line 422 – uses realpath($new_path) – should be $new_path (realpath checks for existence of the file and returns false)
Seems when I var_dump realpath($old_path) and realpath($new_path) in wpdm-filemanager/classes/fileManager.php line 422 realpath($new_path) is false (which is why im guessing it fails)