Critical Security Bug - Calibre Web - Allows to download books even if the user has EDITOR ROLE

[UsuarioAnonimo]

I wrote a mail with all the information to [email protected] , so im waiting for response !

[OzzieIsaacs]

Good job, I hope you never find something really relevant. You should not post it everywhere. This is not helping to solve real security problems.

To you finding: Yes, if YOU can SEE the book in the browser YOU HAVE the book on you computer and can take a copy of if. If you watch a video on youtube/amazon,... you also can take a copy of it, this is how it works. If you have a lot of money and time you can encrypt your javascript code, try to prevent debugging the page, insert captchas into the code, check if really a real browser is showing the book and so on. I'm not an expert programmer and can easily bypass half of the methods, for almost 99% of the additional methods you can find tools in the internet to do so. Calibre-web is for Home and small office use and not a professional webshop, so I will not spend any time on avoiding this, as you never can block it totally. I can make a note in the FAQ, but not more.

Somebody generated a PR for this nice feature to split the download and view role, I was not convinced about it, I also mentioned it in the PR (but because you wrote meanwhile 3 messages on different channels I not gonna search for it anymore).

[UsuarioAnonimo]

I get it ! :) I miss understood i guess, we'll it's ok ! I will not publish the way i did also the script that automate everything ! It's a really nice app, sorry for the inconvenience