Not a bug AWS S3 address exposed from user's profile avatar

[BubbaLovesCheese]

Affected version

2.2

Hi,

I'm not sure if this is an issue or not, I'm not very security minded, but I thought I'd post it in case it mattered.

When using Amazon S3 buckets to host my data and internal_data folders, I noticed that the URL was exposed when clicking (or hovering) on the user's avatar from their profile page.




You can see the URL at the bottom during a hover, and on a right-click, it opens in a new tab with the AWS url in the address bar.

Sorry for posting if it's not an issue.

Thanks!

 

[Chris D]

This shouldn’t be an issue, but just to check: what do your attachment URLs look like? These aren’t exposed. It’s not that there’s a major issue either way, but full size attachments (not thumbs) should look like an internal URL.

There is a process you can follow to change your bucket URL into a CNAME that looks like an internal URL if you prefer but that’s a S3 thing so their documentation will provide more info.

 

[briansol]

yeah, make a CNAME (like static.yourdomain.com) and point it to the bucket.
then, put the cname in your config file instead of the amazon address. There may also be some txt record dns keys to add.

Better yet, create a cloudfront distribution, and point that source to the bucket.
Then point the CNAME to the cloudfront distribution for better edge loading.