Fix: incidental unprotected sharing of a file is easily possible

[hacdias]

Checklist

• This is a bug report, not a question.
• I have searched on the issue tracker for my bug.
• I am running the latest FileBrowser version or have an issue updating.

Version

All

Description

This issue tracks a more thorough fix for GHSA-3v48-283x-f2w4.

Files managed by the File Browser can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible.

What did you expect to happen?

The user always needs to input the share password in order to be able to download the file(s).

What actually happened?

If the user shares the wrong link, no password is required to download the file. In addition, if the user copies the download link from the Share page, it includes a token which will give access to the file until the share expires (which may never happen, if it is a permanent share).

The token should actually be removed from the URL and the the download should only happen in conjunction with the password.

Reproduction Steps

Read more in GHSA-3v48-283x-f2w4

Files

No response

[Sentsuki]

In fact, I often use this function to load some pictures or files in my website, so can this function be added back? Or add an additional steps when generating links containing TOKEN?