Beagle checks received URL (#172)

Bartosz Małkowski opened 5 years ago

Beagle shouldn't check all URLs received in chat. it is very insecure (easy way to track user, identify his IP, or something else). Also, if I receive one-time URL, then beagle immediately invalidates it.

My suggestions:

check only urls with image file extension
add configuration option to make this image download optional

Activities

Andrzej Wójcik (Tigase) commented 5 years ago

@bmalkow could you check if there is a way to detect if this is a one time url or not? Is one time url only for GET requests or it is invalidated by HEAD request as well?
Andrzej Wójcik (Tigase) commented 5 years ago

Or maybe you could point me to the service which generates one time URLs so I could look into that issue.
Andrzej Wójcik (Tigase) commented 5 years ago

There is currently an option to set image preview max size. If set to 0, then Beagle is not checking the URLs
Bartosz Małkowski commented 5 years ago

It was just a hypothetical example with one time url. But for sure, when someone sent me URL to some service, immediately in this services log was entry with the url.
Andrzej Wójcik (Tigase) commented 5 years ago

This should be now fixed.
Login to comment

Type	Bug
Priority	Normal
Assignee	Andrzej Wójcik (Tigase)
Version	4.0

Issue Votes (0)

Watchers (0)

Reference

tigase/_clients/beagle-im#172