Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error screen shows users auth token. #1747

Closed
4 tasks done
JackFromWisconsin opened this issue Jul 2, 2023 · 3 comments · Fixed by #1766
Closed
4 tasks done

Error screen shows users auth token. #1747

JackFromWisconsin opened this issue Jul 2, 2023 · 3 comments · Fixed by #1766
Labels
bug Something isn't working extra: critical It's really, really important

Comments

@JackFromWisconsin
Copy link

Requirements

  • This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
  • Please check to see if this issue already exists.
  • It's a single bug. Do not report multiple bugs in one issue.
  • It's a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

On v0.18 versions when Lemmy hits an error, it gives an error screen. Unfortunately, this error also gives out the users access token.

This is a major vulnerability, since the page almost encourages sharing the error page. This is a severe vulnerability because of: LemmyNet/lemmy#3364

Steps to Reproduce

  1. Get a error (for example, one I got was" FetchError: request to http://lemmy:8536/api/v3/community?name=wisconsin&auth= failed, reason: connect ECONNREFUSED 172.18.0.5:8536."
  2. The auth= part contains my token, edited out for security.
  3. Accidentally share the error message and expose my account token

Technical Details

Independent of web browser/OS. Depends on when you get an error page.

Lemmy Instance Version

v0.18

Lemmy Instance URL

No response
@JackFromWisconsin JackFromWisconsin added the bug Something isn't working label Jul 2, 2023
@jsit jsit added the extra: critical It's really, really important label Jul 2, 2023
@jsit
Copy link
Contributor

jsit commented Jul 2, 2023

Thanks @JackFromWisconsin. Where does this error appear? In a popup box in the lower-left? Can you include a screenshot, and/or steps to take to reproduce an error like this?

@JackFromWisconsin
Copy link
Author

It is the full page error, not a pop-up. I will grab a screenshot next time I see it.

@SleeplessOne1917 SleeplessOne1917 mentioned this issue Jul 2, 2023
Merged
@JackFromWisconsin
Copy link
Author

@SleeplessOne1917 thank you for fixing this right away!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working extra: critical It's really, really important
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent JWT token from showing up on error page LemmyNet/lemmy-ui
2 participants
@jsit @JackFromWisconsin