[SECURITY] Credentials exposed in public URLs

The storage credentials must not be included by default, as they might
also provide write-access to the storage. There should be an option to
integrate read-only credentials to get a file, or have a special base
URL for the public URLs.

diff --git a/Classes/Driver/WebDavDriver.php b/Classes/Driver/WebDavDriver.php
index 94fd869..49e4eab 100644 (file)
--- a/Classes/Driver/WebDavDriver.php
+++ b/Classes/Driver/WebDavDriver.php
@@ -299,14 +299,17 @@ class WebDavDriver extends AbstractDriver {
        }
 
        /**
-        * Returns the public URL to a file.
+        * Returns the public URL to a file. This does not contain a username or password, even if this is
+        * necessary to display the file.
+        *
+        * TODO make it optional to include the username/password
         *
         * @param string $identifier
         * @return string
         */
        public function getPublicUrl($identifier) {
                        // as the storage is marked as public, we can simply use the public URL here.
-               return $this->getResourceUrl($identifier);
+               return $this->baseUrl . ltrim($file, '/');
        }
 
        /**