Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't use version for cache control #233
Soooo Goffanon spotted this issue in that we still leak the version number in the
A trick I found (though not really tested yet) is instead to generate on each local machine a random hash an replace it at install time ...
However, as said on the chat, I am not sure how all of this attempt to leak the version number is worth it ... In practice, since all yunohost admin assets (js, css, ms, ...) are accessible publicly, an attacker could look at the history of changes on those assets to create a script that would do a bunch of request and infer the version number from the hash of the assets ...
Not really tested, to be discussed