security issue with image display

an uploaded image is shown by a direct reference to the /storage directory like ---img width="100" src="/storage/pathToImage/"---- The system should not support a direct access to /storage by a proper permission setting. Users should not be able to access any /storage information by a URL. To fix that for the images I suggest to use for getImageDetails() a base64 coded image upload like: $imgpath =

$imagePath.$

imageId."_".$imageName;

$type = pathinfo($

imgpath, PATHINFO_EXTENSION);

$data = file_get_contents($

imgpath);

$str = "data:image/".$

type.";base64,".base64_encode(

There was an error rendering this math block. KaTeX parse error: Expected '}', got 'EOF' at end of input: …h="100" src="{

str}"---

Added suggestion label

We need to impose deny from all in storage folder and then route file access through index.php (which enforces authenticated access).

Few uploads would need to be exposed without authentication - like images used for email etc... which will pushed into public_storage (new folder).

We have the case that an image should be hided for certain users. They should not be able to download an image, even if they know the location at the server.

Why not use Documents for the same which allows control of user-access.

My point is, as long you can access /storage directly by a url you have a security issue. This is currently illustrated by the src parameter for img access. I could remember the URL and can still access the image, even if someone revoked my access permission to the data set itself.

URL should be routed through index.php noted. btw you can also set storage_directory path out of vtigercrm folder.

@frank.piepiorra Please get back to us if you need any further assistance.

Status changed to closed

Milestone changed to 6.5.0