-
Notifications
You must be signed in to change notification settings - Fork 864
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ignore
script_name
query parameter in generated URLs
- Loading branch information
Showing
3 changed files
with
13 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mislav was this a security vulnerability? Should people be upgrading?
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mislav could you explain a bit more about the vulnerability? I have a hard time finding what tampering with the script_name could result in.
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @mislav, if in addition to providing a short description, you could also just confirm the upgradeable version ranges @aripollak listed here, that would be highly appreciated!
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep you people are right about upgrade ranges. Is anything not clear from my release notes?
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ha, are you referring to this page?
Everyone has a slightly different release process, so it's better to be safe than sorry :).
Re: the description, it's useful to know what the specific security vulnerability was so we can rank how important fixing it is. If you recall off the top of your head rather, that'd also save us having to figure out what went wrong. At a glance I can't seem to find anything in the issues tab.
I'm mindful of the drudgery of open source work :P, and I'm sorry if it seems we're just adding to it.
ec9b985
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure thing: passing maliciously crafted content in
script_name
GET parameter could cause pagination links to get output pointing to another site, or even XSS.