Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
YOURLS reads login credentials from GET parameters #2424
This is a follow-up to #2422, which centered around broken login if username and password are passed in the URL via GET parameters (
I suggested it should either be fixed, so what that issue's OP wanted to do would work correctly, or removed entirely so the login credentials are ignored if passed in the URL. The consensus is that YOURLS is doing something it shouldn't—the login form fields are meant to be POSTed, and reading them from GET requests is a bug for security reasons.
For the moment I am self-assigning this, perhaps to take a look at it this weekend. (I've already had a cursory look at the code in
But in all seriousness, this does need fixing. We don't want webservers that handle YOURLS requests storing passwords in their request logs, do we?
Edit: I got issue 2424… I feel special now.
I think it all boils down to https://github.com/YOURLS/YOURLS/blob/master/includes/functions-auth.php#L52-L59 where we're just checking on $_REQUEST which matches either POST or GET. I think it's fine for API auth but we should restrict to $_POST for web auth.
So, this "elseif API or normal: login with username & pwd" block should in fact be split in two, "elseif API login with username & pwd then check REQUEST, elseif web login using username & password: check POST"
Ah, the old
YOURLS Coding Standard
Do NOT use
This will prevent a