Univention Bugzilla – Bug 39438
MRTG graphics are visible to everyone knowing the deep link
Last modified: 2021-04-14 14:06:53 CEST
Observed behaviour: * http(s)://<fqdn-of-your-ucs>/statistic/ requires authentication * http(s)://<fqdn-of-your-ucs>/statistic/ucs_0load-day.png does NOT require authentication Expected behaviour: * Everything under http(s)://<fqdn-of-your-ucs>/statistic/ requires authentication since this might be considered sensitive information Caused by: /var/www/statistic/.htaccess: > SetenvIf Request_URI "(statistik/ucs.*\.png)$" allow > SetenvIf Request_URI "(statistic/ucs.*\.png)$" allow So all PNG files are readable by everyone. This goes back to Bug #22513 - is it still true that protecting the PNG files would break the UMC module?
We could move the serving of the file into the module backend (which doesn't yet exists). Then they aren't delivered by apache anymore and the files are only accessible via UMC ACL's.
There is a Customer ID set so I set the flag "Enterprise Customer affected".
*** This bug has been marked as a duplicate of bug 45192 ***
@Jannik: Please verify that this bug is a duplicate of Bug #45192.
<http://errata.software-univention.de/ucs/4.2/238.html> <http://errata.software-univention.de/ucs/4.2/239.html>