New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stringify api_key #2492

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@homakov
Contributor

homakov commented Jan 26, 2013

No description provided.

Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR
@radar

This comment has been minimized.

Show comment
Hide comment
@radar

radar Jan 26, 2013

Member

We would rather you bring up security notifications with us PRIVATELY, Egor. You know this is generally the case with Rails projects.

Next time, email security@spreecommerce.com please.

On 26/01/2013, at 18:18, Egor Homakov notifications@github.com wrote:

By default there is no api key generated. I just managed to break into api on test installation using ?token[], one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

You can merge this Pull Request by running

git pull https://github.com/homakov/spree patch-1
Or view, comment on, or merge it at:

#2492

Commit Summary

Stringify api_key
File Changes

M api/app/controllers/spree/api/base_controller.rb (2)
Patch Links:

https://github.com/spree/spree/pull/2492.patch
https://github.com/spree/spree/pull/2492.diff

Member

radar commented Jan 26, 2013

We would rather you bring up security notifications with us PRIVATELY, Egor. You know this is generally the case with Rails projects.

Next time, email security@spreecommerce.com please.

On 26/01/2013, at 18:18, Egor Homakov notifications@github.com wrote:

By default there is no api key generated. I just managed to break into api on test installation using ?token[], one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

You can merge this Pull Request by running

git pull https://github.com/homakov/spree patch-1
Or view, comment on, or merge it at:

#2492

Commit Summary

Stringify api_key
File Changes

M api/app/controllers/spree/api/base_controller.rb (2)
Patch Links:

https://github.com/spree/spree/pull/2492.patch
https://github.com/spree/spree/pull/2492.diff

@homakov

This comment has been minimized.

Show comment
Hide comment
@homakov

homakov Jan 26, 2013

Contributor

i almost always report it privately. it just feels like a small revenge

Contributor

homakov commented Jan 26, 2013

i almost always report it privately. it just feels like a small revenge

@rwz

This comment has been minimized.

Show comment
Hide comment
@rwz

rwz Jan 26, 2013

That's right. Fuck all these Spree users, nobody gives shit about them. What matters though is small revenge. Way to go, dude.

rwz commented Jan 26, 2013

That's right. Fuck all these Spree users, nobody gives shit about them. What matters though is small revenge. Way to go, dude.

@radar

This comment has been minimized.

Show comment
Hide comment
@radar

radar Jan 26, 2013

Member

FWIW: You lived up to the exact description I had in my post. Please stop doing this. You're being a jerk.

Member

radar commented Jan 26, 2013

FWIW: You lived up to the exact description I had in my post. Please stop doing this. You're being a jerk.

@radar radar closed this Jan 26, 2013

radar added a commit that referenced this pull request Jan 26, 2013

radar added a commit that referenced this pull request Jan 26, 2013

radar added a commit that referenced this pull request Jan 26, 2013

Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492

radar added a commit that referenced this pull request Jan 26, 2013

Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492

huoxito added a commit to huoxito/spree that referenced this pull request Feb 6, 2013

Stringify api_key
Fixes #2492

Conflicts:
	api/app/controllers/spree/api/v1/base_controller.rb

fmfdias added a commit to fmfdias/spree that referenced this pull request Feb 15, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment