Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pre-1.0.0 Code Audit #40

Merged
merged 15 commits into from Jun 27, 2016
Merged

Pre-1.0.0 Code Audit #40

merged 15 commits into from Jun 27, 2016

Conversation

@paragonie-scott
Copy link
Member

paragonie-scott commented Jun 26, 2016

Make sure everything is secure against known bug classes.

Here's a list of files that were changed since v0.3.0, if you want to narrow down the likely sources of new bugs (if you want your own):

EDIT: Checklist removed, as it was completed.

@paragonie-scott
Copy link
Member Author

paragonie-scott commented Jun 26, 2016

Anyone and everyone is encouraged to participate, too. :)

I'll just see myself out...
@@ -1,4 +1,5 @@
<?php
declare(strict_types=1);
namespace Airship\Alerts;

/**

This comment has been minimized.

Copy link
@paragonie-scott

paragonie-scott Jun 26, 2016

Author Member

(To explain the joke: I added strict_types=1 to the files defining custom Exception classes.)

The Twig selector for the CSP editing form wasn't properly checking for "-src" to display the data URI checkbox.

Like many of the bugs I've found in my internal audits, this caused it to fail closed. Not a security bug, but a usability bug for sure.
{{ __("Allow self-references?") }}
</label><br />
{% if key[4:] == '-src' %}

This comment has been minimized.

Copy link
@paragonie-scott

paragonie-scott Jun 27, 2016

Author Member

This was the bug. Should've been -4

@paragonie-scott
Copy link
Member Author

paragonie-scott commented Jun 27, 2016

Okay, I think this is good. I don't think XSS is going to be a huge problem for us.

@paragonie-scott paragonie-scott merged commit 4d3c607 into master Jun 27, 2016
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@paragonie-scott paragonie-scott deleted the pre-1.0.0-audit branch Jun 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.