Mailinglist Archive: opensuse-buildservice (354 mails)

< Previous Next >
Re: [opensuse-buildservice] Redirect fix for build monitor (PATCH)
  • From: Dirk Stoecker <opensuse@xxxxxxxxxxxx>
  • Date: Tue, 13 Feb 2007 15:16:13 +0100 (CET)
  • Message-id: <Pine.LNX.4.64.0702131511350.1726@xxxxxxxxxxxxxxxxx>
On Tue, 13 Feb 2007, Marcus Rueckert wrote:

> On 2007-02-13 14:02:57 +0100, Dirk Stoecker wrote:
> > Hmm. That can make lots of security trouble I think.
> why? what kind of scenarios do you have in mind?

Nothing special. But cross-site scripting would be probably possible when
using referers. I tend to be a bit paranoid when thinking about web
applications. To many things can happen when not carefully designed.

> > Also what do you do, when the previous page was dynamic and reloading
> > is not one of the best ideas.
> what kind of scenarios do you have in mind? i think the same could
> happen with your explicit jump targets aswell. no?

No. The explicit jump target is no real target, but a symolic "hint". The
place, where redirect happens must know the target or it is ignored. So to
get trouble with dynamic pages you need to program the trouble first :-)

-- (PGP key available)
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >