Make "Download from URL" configurable

[LukasReschke]

The "Download from URL" feature should be configurable and allow at least the following configuration options:

1. Completely disable this feature
2. Disallow private IP addresses

[LukasReschke]

IMHO it would be sane when per default access to all private IP addresses are forbidden and admins would manually need to opt-in. Also loopback addresses should never get resolved.

[LukasReschke]

@jancborchardt FYI – this will be a switch in the config.php most likely.

[DeepDiver1975]

I still vote for killing this feature - tooo broken with respect to some issues:

• content disposition not respected
• authentication not possible

[LukasReschke]

That would from a security PoV really be the best option.

👍 as well.

[karlitschek]

@jancborchardt @MTRichards What do you think about killing this feature?

[LukasReschke]

Please notice that the current implementation is dangerous and there is not really a good way we can make it behave completely secure for all deployment scenarios. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html for an example, this is exactly the way how apps like Prezi got hacked 🙈

[MTRichards]

This is the download URL direct feature? I lean towards OK, but ...
Trying to understand the use case that we can't support anymore.

[LukasReschke]

This is the download URL direct feature?

Yes. That one:

Trying to understand the use case that we can't support anymore.

Downloading warez, a potential DoS vector less, … 🙈

[jancborchardt]

I wonder if it’s used at all or understood. If anything it’s a very slim usecase. I’d be ok with removing it. What do you think @owncloud/designers?

[MorrisJobke]

I'm fine with the removal.

@MTRichards Think of a ownCloud instance that is in an internal net. With this feature you can download stuff from within this internal net. Simple use case: ownCloud in an NAT-ed network. you can access files from behind that NAT router, by using this feature.

[MTRichards]

@MorrisJobke Thanks!
@LukasReschke LOL, you made me chuckle. That was quite funny...:)

I would remove it, I don't think it is a widely used use case.

[DeepDiver1975]

I would remove it, I don't think it is a widely used use case.

furthermore there are more elaborate apps out there afaik - https://apps.owncloud.com/content/show.php/ocDownloader+v2.2?content=150227

@nickvergessen please open a pr to kill this for oc8.1 - THX

[enoch85]

Make ocDownloader a recomended app in appstore?

[DeepDiver1975]

Make ocDownloader a recomended app in appstore?

only if it was reviewed and we know it's properly working

[enoch85]

@DeepDiver1975 Who can make that review and what are the demands for getting an app approved for appstore?

[LukasReschke]

I was so free and did it myself quickly: #14652

[LukasReschke]

https://apps.owncloud.com/content/show.php/?content=169974