Mailinglist Archive: opensuse-buildservice (354 mails)
| < Previous | Next > |
Re: [opensuse-buildservice] Redirect fix for build monitor (PATCH)
- From: Dirk Stoecker <opensuse@xxxxxxxxxxxx>
- Date: Tue, 13 Feb 2007 15:16:13 +0100 (CET)
- Message-id: <Pine.LNX.4.64.0702131511350.1726@xxxxxxxxxxxxxxxxx>
On Tue, 13 Feb 2007, Marcus Rueckert wrote:
> On 2007-02-13 14:02:57 +0100, Dirk Stoecker wrote:
> > Hmm. That can make lots of security trouble I think.
>
> why? what kind of scenarios do you have in mind?
Nothing special. But cross-site scripting would be probably possible when
using referers. I tend to be a bit paranoid when thinking about web
applications. To many things can happen when not carefully designed.
> > Also what do you do, when the previous page was dynamic and reloading
> > is not one of the best ideas.
>
> what kind of scenarios do you have in mind? i think the same could
> happen with your explicit jump targets aswell. no?
No. The explicit jump target is no real target, but a symolic "hint". The
place, where redirect happens must know the target or it is ignored. So to
get trouble with dynamic pages you need to program the trouble first :-)
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
> On 2007-02-13 14:02:57 +0100, Dirk Stoecker wrote:
> > Hmm. That can make lots of security trouble I think.
>
> why? what kind of scenarios do you have in mind?
Nothing special. But cross-site scripting would be probably possible when
using referers. I tend to be a bit paranoid when thinking about web
applications. To many things can happen when not carefully designed.
> > Also what do you do, when the previous page was dynamic and reloading
> > is not one of the best ideas.
>
> what kind of scenarios do you have in mind? i think the same could
> happen with your explicit jump targets aswell. no?
No. The explicit jump target is no real target, but a symolic "hint". The
place, where redirect happens must know the target or it is ignored. So to
get trouble with dynamic pages you need to program the trouble first :-)
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
| < Previous | Next > |