Opened 10 years ago
Closed 10 years ago
#420 closed defect (fixed)
ContentHelper should use a nonce to change the language, to avoid people with a public routerconsole being impacted
| Reported by: | Mathiasdm | Owned by: | zzz |
|---|---|---|---|
| Priority: | major | Milestone: | 0.8.5 |
| Component: | apps/console | Version: | 0.8.3 |
| Keywords: | Cc: | ||
| Parent Tickets: | Sensitive: | no |
Description
15:51 < zzz2> Mathiasdm, comments after review
15:51 < zzz2> Mathiasdm, re: ContentHelper? change to save lang config
15:52 < zzz2> we talked about it before - it's taking a security problem and
making it worse, since no nonce req'd
15:52 < zzz2> also don't the changes belong in CSSHelper, not ContentHelper?? If
we do want the changes at all?
15:53 < walking→ zzz2: is it possible to support ssl-enabled proxy for
reseeding ?
15:54 < zzz2> could an attacker inject things into the config file with a
?lang=xx%0afoo=bar Mathiasdm ? Should we convert the readmes to a
form with nonces?
Subtickets
Change History (2)
comment:1 Changed 10 years ago by
| Milestone: | 0.8.4 → 0.8.5 |
|---|---|
| Owner: | set to zzz |
| Status: | new → accepted |
comment:2 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
Note: See
TracTickets for help on using
tickets.
0.8.4-3