Stringify api_key #2492

Closed
wants to merge 1 commit into
from

Projects

None yet

3 participants

@homakov
Contributor
homakov commented Jan 26, 2013

No description provided.

@homakov homakov Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR
e3bbfb2
@radar
Member
radar commented Jan 26, 2013

We would rather you bring up security notifications with us PRIVATELY, Egor. You know this is generally the case with Rails projects.

Next time, email security@spreecommerce.com please.

On 26/01/2013, at 18:18, Egor Homakov notifications@github.com wrote:

By default there is no api key generated. I just managed to break into api on test installation using ?token[], one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

You can merge this Pull Request by running

git pull https://github.com/homakov/spree patch-1
Or view, comment on, or merge it at:

#2492

Commit Summary

Stringify api_key
File Changes

M api/app/controllers/spree/api/base_controller.rb (2)
Patch Links:

https://github.com/spree/spree/pull/2492.patch
https://github.com/spree/spree/pull/2492.diff

@homakov
Contributor
homakov commented Jan 26, 2013

i almost always report it privately. it just feels like a small revenge

@rwz
rwz commented Jan 26, 2013

That's right. Fuck all these Spree users, nobody gives shit about them. What matters though is small revenge. Way to go, dude.

@radar
Member
radar commented Jan 26, 2013

FWIW: You lived up to the exact description I had in my post. Please stop doing this. You're being a jerk.

@radar radar closed this Jan 26, 2013
@radar radar added a commit that referenced this pull request Jan 26, 2013
@homakov @radar homakov + radar Stringify api_key
Fixes #2492
6d12303
@radar radar added a commit that referenced this pull request Jan 26, 2013
@homakov @radar homakov + radar Stringify api_key
Fixes #2492
6181bb6
@radar radar added a commit that referenced this pull request Jan 26, 2013
@homakov @radar homakov + radar Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
3c2015e
@radar radar added a commit that referenced this pull request Jan 26, 2013
@homakov @radar homakov + radar Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
15ff5a2
@huoxito huoxito added a commit to huoxito/spree that referenced this pull request Feb 6, 2013
@homakov @huoxito homakov + huoxito Stringify api_key
Fixes #2492

Conflicts:
	api/app/controllers/spree/api/v1/base_controller.rb
0c88742
@fmfdias fmfdias added a commit to fmfdias/spree that referenced this pull request Feb 15, 2013
@fmfdias fmfdias Applied changes in commit 6181bb6 from upstream spree.
"Stringify api key

Fixes #2492"
1bdc72e
@tomash tomash referenced this pull request in rails/rails Dec 6, 2013
Closed

[Concept] Always require permit before fetching #13215

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment