mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-07-16 05:33:49 +03:00
Shelf-title ending in 'public': breaks 'edit shelf', breaks 'delete shelf'? #2821
Closed
opened 2026-02-05 05:21:00 +03:00 by OVERLORD
·
5 comments
No Branch/Tag Specified
development
l10n_development
release
snyk-action
ci_and_static
mfa_key
phpstan_june26
MilnerMart/development
GamerClassN7/impersonations-for-admin
Zhey-on/feature/csp-image-css-controls-6033
tortillas5/development
llm_only
vectors
McTom234/oidc-key-algorithms
captcha_example
v26.05.2
v26.05.1
v26.05
v26.03.5
v26.03.4
v26.03.3
v26.03.2
v26.03.1
v26.03
v25.12.9
v25.12.8
v25.12.7
v25.12.6
v25.12.5
v25.12.4
v25.12.3
v25.12.2
v25.12.1
v25.12
v25.11.6
v25.11.5
v25.11.4
v24.11.4
v25.11.3
v25.11.2
v25.11.1
v25.11
v25.07.3
v25.07.2
v25.07.1
v25.07
v25.05.2
v25.05.1
v25.05
v25.02.5
v25.02.4
v25.02.3
v25.02.2
v25.02.1
v25.02
v24.12.1
v24.12
v24.10.3
v24.10.2
v24.10.1
v24.10
v24.05.4
v24.05.3
v24.05.2
v24.05.1
v24.05
v24.02.3
v24.02.2
v24.02.1
v24.02
v23.12.3
v23.12.2
v23.12.1
v23.12
v23.10.4
v23.10.3
v23.10.2
v23.10.1
v23.10
v23.08.3
v23.08.2
v23.08.1
v23.08
v23.06.2
v23.06.1
v23.06
v23.05.2
v23.05.1
v23.05
v23.02.3
v23.02.2
v23.02.1
v23.02
v23.01.1
v23.01
v22.11.1
v22.11
v22.10.2
v22.10.1
v22.10
v22.09.1
v22.09
v22.07.3
v22.07.2
v22.07.1
v22.07
v22.06.2
v22.06.1
v22.06
v22.04.2
v22.04.1
v22.04
v22.03.1
v22.03
v22.02.3
v22.02.2
v22.02.1
v22.02
v21.12.5
v21.12.4
v21.12.3
v21.12.2
v21.12.1
v21.12
v21.11.3
v21.11.2
v21.11.1
v21.11
v21.10.3
v21.10.2
v21.10.1
v21.10
v21.08.6
v21.08.5
v21.08.4
v21.08.3
v21.08.2
v21.08.1
v21.08
v21.05.4
v21.05.3
v21.05.2
v21.05.1
v21.05
v21.04.6
v21.04.5
v21.04.4
v21.04.3
v21.04.2
v21.04.1
v21.04
v0.31.8
v0.31.7
v0.31.6
v0.31.5
v0.31.4
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.7
v0.30.6
v0.30.5
v0.30.4
v0.30.3
v0.30.2
v0.30.1
v0.30.0
v0.29.3
v0.29.2
v0.29.1
v0.29.0
v0.28.3
v0.28.2
v0.28.1
v0.28.0
v0.27.5
v0.27.4
v0.27.3
v0.27.2
v0.27.1
v0.27
v0.26.4
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.5
v0.25.4
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.0
v0.18.5
v0.18.4
v0.18.3
v0.18.2
v0.18.1
v0.18.0
v0.17.4
v0.17.3
v0.17.2
v0.17.1
v0.17.0
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.1
v0.13.0
v0.12.2
v0.12.1
v0.12.0
v0.11.2
v0.11.1
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.2
v0.8.1
v0.8.0
v0.7.6
v0.7.5
v0.7.4
v0.7.3
0.7.2
v.0.7.1
v0.7.0
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.0
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
☕ Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
⛲ Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
❓ Question
🚀 Priority
🛡️ Blocked
🚚 Export System
♿ A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label
🐛 Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/BookStack#2821
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @labor4 on GitHub (May 30, 2022).
Describe the Bug
This is a strange one.
I can reconstruct:
Any shelf title, ending in "public" will be unable to edit later on, also unable to delete.
Resulting only in a 404 error, with no laravel log entries.
Could this be true?
Steps to Reproduce
create shelf "hello-public"
create shelf "hello2-public"
create shelf "huh-public-ending"
create shelf "public-ending"
edit/delete shelf "hello-public" -> ERROR
edit/delete shelf "hello2-public" -> ERROR
edit/delete shelf "huh-public-ending" -> OK
edit/delete shelf "public-ending" -> OK
Expected Behaviour
shelf titles to be "waterproof" 😀
Screenshots or Additional Context
No response
Browser Details
No response
Exact BookStack Version
BookStack v22.04.2
PHP Version
8.0
Hosting Environment
Ubuntu 18 LTS, Plesk 18
@ssddanbrown commented on GitHub (May 30, 2022):
Hi @labor4, Thanks for reporting.
I think though this will be specific to your webserver/environment configuration.
A quick test on our demo instance could not reproduce the first case.
Are you able to share any webserver config at all?
Note: If you normally have
/public/within your normal BookStack URL this likely reflects an unsupported and possibly insecure setup.@labor4 commented on GitHub (May 30, 2022):
Haha, you got me, by mentioning a different problem of the DOCROOT.
It was my setup!
Thanks for checking.
Yes I had a problematic .htaccess on DOCROOT (below /public):
The error was here:
RewriteCond %{REQUEST_URI} !public/The Rule obviously snapped in at the URL
.../shelves/hello-public/editor even.../shelves/public/editCorrected:
But regarding your thought on "possibly insecure":
The reasoning behind having DOCROOT at the install DIR is that I expect Plesk to be in line with its backup procedures.
Would you say that the above .htaccess approach would satisfy the concern?
@ssddanbrown commented on GitHub (May 30, 2022):
It really depends on the wider context of your setup.
In general if any files/folders, outside of the BookStack
public/folder, are exposed/accessible in public web space then this significantly increases surface area and techniques for exploitation/vulnerability.Really, only the
publicfolder should be exposed as the web/document root. If any parent folders are exposed then that is not ideal.@labor4 commented on GitHub (May 30, 2022):
Ok fair arguement. I will check if I can .htaccess can answer all of these.
As a note: I have seen suites using .htaccess with
deny from allstrategies in every "private" subdir, to answer this. In one case the index.php script itself checked for their existence/working condition, and would deny normal usage until the problem was resolved. I dont remember which appliance this was.@ssddanbrown commented on GitHub (May 30, 2022):
Since the cause of the original issue is know I'll close this off.
I would advise correctly setting the document root where possible instead of using workarounds.
Any reasonable hosting system should allow setting of this.