Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error page should not display user controllable message if possible #296

Closed
LukasReschke opened this issue Sep 3, 2015 · 7 comments
Closed

Error page should not display user controllable message if possible #296

LukasReschke opened this issue Sep 3, 2015 · 7 comments
Assignees
@oparoz
Labels
enhancement security
Milestone
8.2

Comments

@LukasReschke
Copy link
Member

/index.php/apps/gallery/error should not show an user-controllable error message if possible, the reason behind this is that users usually trust the response returned by a server. This is also known as Content Spoofing.

Example: http://localhost/master/index.php/apps/gallery/error?message=Please%20send%20your%20password%20to%20owncloud%40evil.de&code=500

2015-09-03_14-03-54
@LukasReschke LukasReschke added this to the 8.2-current milestone Sep 3, 2015
@oparoz
Copy link
Contributor

oparoz commented Sep 3, 2015

So just remove the error message altogether and let the user sort it out by looking at logs?

@LukasReschke
Copy link
Member Author

So just remove the error message altogether and let the user sort it out by looking at logs?

Or you use ICrypto to generate an encrypted error message and decrypt it :-)

@oparoz
Copy link
Contributor

oparoz commented Sep 3, 2015

OK

@oparoz oparoz self-assigned this Sep 3, 2015
@oparoz
Copy link
Contributor

oparoz commented Sep 3, 2015

Should I put the password in the session?

@oparoz oparoz added the ready label Sep 3, 2015
@LukasReschke
Copy link
Member Author

oparoz added the ready label 9 hours ago

Can you explain what the "ready" label means? :-)

Should I put the password in the session?

Fair point. An secret per session might make sense. But then we're also at a point where we could just put the whole error in the session and read it from there and once it is displayed clean it out of there?

@oparoz
Copy link
Contributor

oparoz commented Sep 4, 2015

Can you explain what the "ready" label means? :-)

Kanban: Ready, In progress, On hold
Ready issues have been accepted and will be worked on next

But then we're also at a point where we could just put the whole error in the session and read it from there and once it is displayed clean it out of there?

Yes, that should work. Send to template and remove from session.

@oparoz oparoz mentioned this issue Sep 4, 2015
Merged
@oparoz
Copy link
Contributor

oparoz commented Sep 13, 2015

Fix is in #301

@oparoz oparoz mentioned this issue Sep 16, 2015
Merged
@oparoz oparoz closed this as completed Sep 19, 2015
@oparoz oparoz removed the QA-testing label Sep 19, 2015
oparoz added a commit that referenced this issue Sep 19, 2015
@oparoz
Replace session by cookie for error message
2e6fcf0 
Follow up for #296
@oparoz oparoz mentioned this issue Sep 19, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oparoz oparoz

Labels
enhancement security
Projects
None yet
Milestone
8.2
Development

No branches or pull requests
2 participants
@oparoz @LukasReschke