Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clone region copies API token #1408

Closed
svenseeberg opened this issue May 10, 2022 · 0 comments · Fixed by #1419
Closed

Clone region copies API token #1408

svenseeberg opened this issue May 10, 2022 · 0 comments · Fixed by #1419
Assignees
@ulliholtgrave
Labels
🐛 bug Something isn't working ❗ prio: medium Should be scheduled in the forseeable future.
Milestone
Migration

Comments

@svenseeberg
Copy link
Member

svenseeberg commented May 10, 2022
edited

Describe the Bug

When a region is cloned the access token for the push page content API endpoint is cloned as well. This is a leak of information as users of the newly cloned region can use this token to push content to the source region.

Steps to Reproduce

  1. Edit a page and set the "API access token"
  2. Clone the region
  3. Open the page in the cloned region and look at the token.

Expected Behavior

API access tokens should be cleared after cloning.

Actual Behavior

API access tokens are cloned along all other page properties.

Additional Information

Should we reserve a CVE? 😹
@svenseeberg svenseeberg added 🐛 bug Something isn't working ❗ prio: medium Should be scheduled in the forseeable future. labels May 10, 2022
@svenseeberg svenseeberg added this to the Version 1.2 milestone May 10, 2022
@ulliholtgrave ulliholtgrave self-assigned this May 11, 2022
@ulliholtgrave ulliholtgrave mentioned this issue May 11, 2022
Merged
@timobrembeck timobrembeck modified the milestones: Version 1.2, Version 1.1 May 13, 2022
@timobrembeck timobrembeck mentioned this issue May 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ulliholtgrave ulliholtgrave

Labels
🐛 bug Something isn't working ❗ prio: medium Should be scheduled in the forseeable future.
Projects
None yet
Milestone
Migration
3 participants
@svenseeberg @ulliholtgrave @timobrembeck