Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

when requesting an private id, the permalink is revealed #723

Closed
flop25 opened this issue Jun 28, 2017 · 4 comments

Comments

@flop25
Copy link
Member

commented Jun 28, 2017

see #721

@flop25 flop25 changed the title when requesting an private id, the permalink is reealed when requesting an private id, the permalink is revealed Jun 28, 2017

@Akityo

This comment has been minimized.

Copy link

commented Jun 29, 2017

That's a bug ,right ? when requesting an private id , It Should not Disclosure anything about private album .
that's what private define for . Just Response status code "404" ,never let others know the private album exist.

@flop25

This comment has been minimized.

Copy link
Member Author

commented Jun 29, 2017

about the response code that's not that easy since each type of user users (legitimate ones, administrators, webmaster, uploaders and the ones who really shouldn't get the content) have reasons to know that an album they are trying to reach is forbidden. We could add a local config to change to a 404 but I think a gallery willing to have such a level a privacy would just make a custom plugin to tweak that and numerous other details.

However, what is wrong -and is the goal of the current ticket- is disclosing the permalink which contains an info about the potential content.

@fgeek

This comment has been minimized.

Copy link

commented Jul 1, 2017

CVE-2017-10679 has been assigned for this issue.

@plegall

This comment has been minimized.

Copy link
Member

commented Sep 19, 2017

master : c4af38f
2.9 : 6530720

@plegall plegall self-assigned this Sep 19, 2017

@plegall plegall added this to the 2.9.2 milestone Sep 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.