Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

when requesting an private id, the permalink is revealed #723

Closed
flop25 opened this issue Jun 28, 2017 · 4 comments
Closed

when requesting an private id, the permalink is revealed #723

flop25 opened this issue Jun 28, 2017 · 4 comments

Comments

@flop25
Copy link
Member

flop25 commented Jun 28, 2017

see #721

@flop25 flop25 changed the title when requesting an private id, the permalink is reealed when requesting an private id, the permalink is revealed Jun 28, 2017
@Akityo
Copy link

Akityo commented Jun 29, 2017

That's a bug ,right ? when requesting an private id , It Should not Disclosure anything about private album .
that's what private define for . Just Response status code "404" ,never let others know the private album exist.

@flop25
Copy link
Member Author

flop25 commented Jun 29, 2017

about the response code that's not that easy since each type of user users (legitimate ones, administrators, webmaster, uploaders and the ones who really shouldn't get the content) have reasons to know that an album they are trying to reach is forbidden. We could add a local config to change to a 404 but I think a gallery willing to have such a level a privacy would just make a custom plugin to tweak that and numerous other details.

However, what is wrong -and is the goal of the current ticket- is disclosing the permalink which contains an info about the potential content.

@fgeek
Copy link

fgeek commented Jul 1, 2017

CVE-2017-10679 has been assigned for this issue.

@plegall
Copy link
Member

plegall commented Sep 19, 2017

master : c4af38f
2.9 : 6530720

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants