From caaa0e515844f61b2c47cb29fb320dfcee0d45a5 Mon Sep 17 00:00:00 2001 From: Timothy Hobbs Date: Sat, 6 Oct 2018 21:23:44 +0200 Subject: [PATCH] Include ticket secret in path to new attachments in order to reduce URL guessability. --- helpdesk/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpdesk/models.py b/helpdesk/models.py index cb80219d..4c6e0879 100644 --- a/helpdesk/models.py +++ b/helpdesk/models.py @@ -781,7 +781,7 @@ def attachment_path(instance, filename): """ import os os.umask(0) - path = 'helpdesk/attachments/%s/%s' % (instance.followup.ticket.ticket_for_url, instance.followup.id) + path = 'helpdesk/attachments/%s-%s/%s' % (instance.followup.ticket.ticket_for_url, instance.followup.ticket.secret_key, instance.followup.id) att_path = os.path.join(settings.MEDIA_ROOT, path) if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage": if not os.path.exists(att_path):