Actions
action #589
closedFix security hole with uploaded files
Status:
Closed
Priority:
Immediate
Assignee:
Category:
Development
Target version:
Start date:
2013-07-11
Due date:
% Done:
100%
Estimated time:
Description
With the current implementation, uploaded files (which includes invoices and signed reimbursements) are not protected by access control. An attacker only needs to guess the url (which is not easy, anyway) to read sensible information.
Actions