HTTPS subresource validation fail #315

Closed
damascene opened this Issue Feb 12, 2016 · 1 comment

Projects

None yet

3 participants

@damascene

Liferea will silently load content, including scripts, from servers with invalid certificates. This allows a MitM attacker to inject code into most web pages.

Further explanation and test case: https://rya.nc/https-script.html
You can directly do some tests using this rss feed https://raw.githubusercontent.com/damascene/s-check/master/rss.xml from s-check

@lwindolf lwindolf added the bug label Feb 23, 2016
@Leiaz
Collaborator
Leiaz commented Oct 21, 2016

WebKit 2 pass that test, so this is fixed in 1.12.

@Leiaz Leiaz closed this Oct 21, 2016
@lwindolf lwindolf added this to the 1.12-RC1 milestone Oct 21, 2016
@lwindolf lwindolf self-assigned this Oct 21, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment