My version of HedgeDoc is: 1.9.3
About this security update; Enumerable upload file names · Advisory · hedgedoc/hedgedoc · GitHub
It feels like this fix, fixes the issue for uploads that happen after upgrading to v1.9.3, but prior uploads would still be enumerable?
If my understanding above is correct, we probably need a script to migrate/replace old uploads with new ones? or for a worst case, a script to just delete them?
Hey @furkanmustafa,
welcome to the community forum.
Your understanding is correct. Two users in our chat genygo and foobarable worked on a script to replace the local uploads. It’s only working for mysql / mariadb and is intended to work for docker, but you may be able to adapt this script for your case. As always a backup for the databse and the image folder is recomended.
#!/bin/bash
upload_path=/opt/codimd/public/uploads
db_container=codimd_database
db_name=hackmd
log_file=rename_log.txt
adddate() {
while IFS= read -r line; do
printf '%s %s\n' "$(date)" "$line";
done
}
for f in $upload_path/*
do
if [[ $f =~ [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}.* ]]
then
echo "skip " $f | adddate >> $log_file
else
# remove file extension
path="${f%.*}"
image="${path##*/}"
uuid=$(uuidgen)
mv -v "$f" $upload_path/$uuid".""${f#*.}" | adddate >>$log_file
docker exec $db_container mysql $db_name -e 'UPDATE Notes SET content = REPLACE ( content, "'"$image"'", "'"$uuid"'") WHERE content LIKE "'"%$image%"'";' 2>&1 | adddate >> $log_file
fi
done
Greetings,
DerMolly
Oh. thanks!
I think I will need to work on adapting this to postgresql and S3(/minio) uploads…
I hope that it shouldn’t be too hard.