Pre-1.0.0 Code Audit #40

Merged
merged 15 commits into from Jun 27, 2016

Conversation

@paragonie-scott
Member

paragonie-scott commented Jun 26, 2016

Make sure everything is secure against known bug classes.

Here's a list of files that were changed since v0.3.0, if you want to narrow down the likely sources of new bugs (if you want your own):

EDIT: Checklist removed, as it was completed.

paragonie-security added some commits Jun 26, 2016

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jun 26, 2016

Member

Anyone and everyone is encouraged to participate, too. :)

Member

paragonie-scott commented Jun 26, 2016

Anyone and everyone is encouraged to participate, too. :)

paragonie-security added some commits Jun 26, 2016

This commit is, strictly speaking, exceptional.
I'll just see myself out...
@@ -1,4 +1,5 @@
<?php
+declare(strict_types=1);
namespace Airship\Alerts;
/**

This comment has been minimized.

@paragonie-scott

paragonie-scott Jun 26, 2016

Member

(To explain the joke: I added strict_types=1 to the files defining custom Exception classes.)

@paragonie-scott

paragonie-scott Jun 26, 2016

Member

(To explain the joke: I added strict_types=1 to the files defining custom Exception classes.)

paragonie-security added some commits Jun 26, 2016

Found a bug!
The Twig selector for the CSP editing form wasn't properly checking for "-src" to display the data URI checkbox.

Like many of the bugs I've found in my internal audits, this caused it to fail closed. Not a security bug, but a usability bug for sure.
{{ __("Allow self-references?") }}
</label><br />
- {% if key[4:] == '-src' %}

This comment has been minimized.

@paragonie-scott

paragonie-scott Jun 27, 2016

Member

This was the bug. Should've been -4

@paragonie-scott

paragonie-scott Jun 27, 2016

Member

This was the bug. Should've been -4

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott Jun 27, 2016

Member

Okay, I think this is good. I don't think XSS is going to be a huge problem for us.

Member

paragonie-scott commented Jun 27, 2016

Okay, I think this is good. I don't think XSS is going to be a huge problem for us.

@paragonie-scott paragonie-scott merged commit 4d3c607 into master Jun 27, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@paragonie-scott paragonie-scott deleted the pre-1.0.0-audit branch Jun 27, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment