Secure problem

  • Resolved mitya1260

    (@mitya1260)


    5 years, 2 months ago

    Hello! I found the problem that after downloading any file to your device via your plugin, you can download the same file via a direct download link an unlimited number of times, and by any person. Bypassing any restrictions on roles, ip, registration, etc. Even without payment! It is enough to have the link that the file was downloaded from. For example: mysite.com/wp-content/uploads/edd/symlinks/filename.zip (the link does not exist, this is just an example)

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Chris Klosowski

    (@cklosows)

    5 years, 2 months ago

    @mitya1260

    The symlink feature requires that WP Cron can run. If this doesn not run, the symlinked files cannot be cleaned up. Furthermore you can disable the symlink’d download feature and be sure to use this doc on protecting your files:

    https://docs.easydigitaldownloads.com/article/194-are-download-files-protected

    Thread Starter mitya1260

    (@mitya1260)

    5 years, 2 months ago

    Yes, it works. But the cron task is too slow. And before it is deleted, the user has time to share it for selfish purposes. The symlink link is valid even if the download is limited to one download, until the cron task is triggered 🙁

    • This reply was modified 5 years, 2 months ago by mitya1260.
    Plugin Author Chris Klosowski

    (@cklosows)

    5 years, 2 months ago

    @mitya1260 The symlink only exists for 60 seconds. Once the user clicks to download the file, we generate the symlink, and 60 seconds later after the symlink file is removed.

    Even if the user has enough time to share that symlink, the file will no longer exist in 60 seconds.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Secure problem’ is closed to new replies.