Seafile Bugreport History

1. I'm quite confused about the seafiles http server (listening on port 8082) security and sharing mechanism.
2.  
3. When using the "share link" button a unique link with a token is generated to share. This looks quite well and it's also great that the token changes when deleting the shared link and creating it again.
4.  
5. BUT the download button when using the shared link (and private links too) directs to a URL like http://seafileserver:8082/files/*shorttoken*/filename.ext
6. The token is still valid after deleting the link in the seahub interface. Also it doesn't change when creating a new link.
7.  
8. I see, that the token is recreated some time (at least if I restart the seafile server the token is not valid anymore). But it should get invalidated immediately when I delete the link (or as soon as possible).
9.  
10. This means:
11. - If someone downloads a private file directly from the encrypted https://seahub url the download itself is not encrypted and the URL is unique and not restricted to the user. Everyone in the network can easily capture the URL and download the file as long as the token is valid
12.  
13. - Deleting the shared link keeps the download URL valid and anyone with the URL can download it again (and the URL can be captured as well as its not a secure connection...)
14.  
15. Of course general idea is great:
16. - Files can be served directly without generating high server load but if thats the reason for the behavior it should be a secure connection by default and the tokens should be generated for every share and user so that they can get invalid after deleting a shared link
17.  
18. Am I missing something or is this true? Is there any way to setup at least SSL encryption for the server listening on port 8082? In the wiki I only found the line "Configured by setup-seafile.sh".
19.  
20. EDIT: Sorry for being too fast. I just realized that tokens get invalid after restarting seafile server. that means that they are at least not valid forever. But I still think that the download URL should get invalid immediately after deleting a link in the seahub interface and SSL encryption should be possible - at least for private downloads.
21.  
22. EDIT2: I had a look at the source code and saw that the expire time is 1 hour. I think as this is relatively short, it's not a big security issue, that the token is not deleted immediately. Though, in my opinion it would be better to have seperate tokens for private and for public access to be able to immediately remove the public token when deleting the shared link.
23.  
24. For httpserver I found in the source code, that https is possible and there seems to be a way to enable it. It would be great to see a notice in the Wiki, that file downloads via web interface aren't encrypted by default and maybe a tutorial how to enable it (As there is already a tutorial how to secure the seahub connection).
25. With the help of the code I will try to activate it on my testserver and if I found a solution I will share it on the wiki.
26.  
27. Next time I will investigate more further before posting an issue. Sorry for that.