Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't show user-supplied content in error pages #212
First: Thanks for this awesome Apache module! :)
Via our Bug Bounty program we got some reports of Text Injections in the error pages such as
While I don't really see this as security relevant issue since spaces etc. are properly converted it would be awesome if the error messages would not show the user-supplied content as I'm sure I'll have otherwise to cope with some more of these reports :)
I don't think I follow:
Are you worried about a user manipulating a URL in his browser and then being phished in to copy/pasting to the address bar the URL that is suggested by himself...?
Or are you worried about a user visiting a malicious site that redirects the user to your site and displays non-clickable text that the user would then copy/paste in to the address bar?
Both seem far-fetched to me, unless there's something that I'm missing.
OTOH: it could be a good idea to minimize the information in the error message on a false request to the redirect URI, I don't dis-agree with that.
The actual vector here is https://www.owasp.org/index.php/Content_Spoofing, basically an adversary sending an URL to somebody and hoping that they give it more trust based on domain in scope. I do agree though on the questionability with regard to successful exploitation :)
Thanks for fixing nevertheless! Already got 2 reports about this by some reporters, so that will keep the noise down once we've redeployed via Ansible :)