Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Yii2 vulnerability to "BREACH" attacks? #1634
I just read about a new type of attack, introduced at this year's Black Hat conference: http://breachattack.com/
It is not application-specific: apparently the attack works on any website using HTTP compression (which is default in Apache as far as I know), user data being returned in the HTTP response body and a CSRF token being served.
To what extend would a vanilla Yii2 setup on a LAMP machine with default settings be vulnerable?
* upstream: (21 commits) Fixes yiisoft#1643: Added default value for `Captcha::options` Fixes yiisoft#1654: Fixed the issue that a new message source object is generated for every new message being translated Allow dash char in ActionColumn’s button names. Added SecurityTest. fixed functional test when enablePrettyUrl is false. fixed composer.json minor doc fix. Fixes yiisoft#1634: Use masked CSRF tokens to prevent BREACH exploits Use better random CSRF token. GII unique indexes avoid autoIncrement columns updated debug retry params. Added sleep(). Added unit test for ActiveRecord::updateAttributes(). Fixes yiisoft#1641: Added `BaseActiveRecord::updateAttributes()` Fixed yiisoft#1504: Debug toolbar isn't loaded successfully in some environments when xdebug is enabled Mongo README.md updated. Fixes yiisoft#1611: Added `BaseActiveRecord::markAttributeDirty()` Number validator was missing Fixes yiisoft#1638: prevent table names from being enclosed within curly brackets twice. Unique indexes rules for single columns into array ...