Add private keys to cdn and webserver
Open, Needs TriagePublic


Currently someone aware of an OCS CDN installation can upload arbitrary image content without using OCS webserver to do so.

We would need to add an ini or config file to CDN which contains a private key, and a matching key in OCS webserver, so OCS CDN will deny uploads without the accompanying key. This will prevent unauthorized content from being loaded hidden from webserver.

There are now forks for ocs-cdn and ocs-webserver containing the private key patches.

OCS Webserver should be patched first, then OCS-CDN. Once OCS CDN is patched it will reject uploads until the config file is made, and OCS Webserver has the patching private key added to applications.ini.

ronaldv moved this task from To Do to Work in Progress on the KDE Store board.Nov 21 2017, 10:28 AM