filepicker_image_url doesn't include the handle in the policy

[sguha00]

When adding the policy and signature to the image_url, the policy only includes the call and expiry keys and no handle key which is specified here: https://developers.filepicker.io/docs/security/#createPolicy

It seems like the handle key is required to read a secure file

[maurogeorge]

@sguha00 you got any problem? Do you know how to solve it?

This Policy is a thing that I don't know too much, but as you can see here #93 I think today this is stable. You can reproduce a error, try to give some examples.

Today the helpers generate url like this.

Thanks for your feedback

[maurogeorge]

Closing, since no got any feedback here.

[danmichaelson]

Can this be re-opened? Looking at the code, we are generating a policy that doesn't specify a file handle. It's valid, but it allows converting any image using the same policy. So if your expiry is 100 years, you aren't adding any security at all as far as I know (because the policy can be grabbed from the URL and reused to convert anything else, forever).

This is maybe not a huge deal now, but it will become important once compatibility is added for converting external URLs (as is supported by the new process.filepicker.io syntax) since then the policy can be hijacked to convert an entirely different set of URLs.

[maurogeorge]

@danmichaelson I reopen the issue, thanks for the info.

[danmichaelson]

I emailed Filepicker support about this, they did point out that the current code adds a little bit of security since you at least can't hijack this policy to upload files. Regardless, specifying the handle is important, especially because I don't think a 10-minute expiry is compatible with CDN's.

[dirkkelly]

@danmichaelson @maurogeorge I've opened a Pull Request that adds the handle to secure url generation.