New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error page should not display user controllable message if possible #296
Comments
So just remove the error message altogether and let the user sort it out by looking at logs? |
Or you use ICrypto to generate an encrypted error message and decrypt it :-) |
OK |
Should I put the password in the session? |
Can you explain what the "ready" label means? :-)
Fair point. An secret per session might make sense. But then we're also at a point where we could just put the whole error in the session and read it from there and once it is displayed clean it out of there? |
Kanban: Ready, In progress, On hold
Yes, that should work. Send to template and remove from session. |
Fix is in #301 |
/index.php/apps/gallery/error
should not show an user-controllable error message if possible, the reason behind this is that users usually trust the response returned by a server. This is also known as Content Spoofing.Example:
http://localhost/master/index.php/apps/gallery/error?message=Please%20send%20your%20password%20to%20owncloud%40evil.de&code=500
The text was updated successfully, but these errors were encountered: