Project

General

Profile

Actions
Copy link

Defect #15560

closed

RJS leaking

Added by egor homakov almost 11 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

example - http://www.redmine.org/boards/2/topics/quote/5682.js

all files that respond with JS with private data for GET requests are vulnerable to homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html

in redmine we should remove:

attachments/destroy.js.erb members/create.js.erb
attachments/upload.js.erb members/destroy.js.erb
custom_fields/new.js.erb members/update.js.erb
groups/add_users.js.erb messages/quote.js.erb
groups/autocomplete_for_user.js.erb repositories/add_related_issue.js.erb
groups/destroy_membership.js.erb repositories/new.js.erb
groups/edit_membership.js.erb repositories/remove_related_issue.js.erb
groups/remove_user.js.erb users/destroy_membership.js.erb
issue_categories/create.js.erb users/edit_membership.js.erb
issue_categories/new.js.erb versions/create.js.erb
issue_relations/create.js.erb versions/new.js.erb
issue_relations/destroy.js.erb versions/status_by.js.erb
issues/bulk_edit.js.erb watchers/_set_watcher.js.erb
issues/update_form.js.erb watchers/append.js.erb
journals/edit.js.erb watchers/create.js.erb
journals/new.js.erb watchers/destroy.js.erb
journals/update.js.erb watchers/new.js.erb
members/autocomplete.js.erb wikis/edit.js.erb

Related issues

Related to Redmine - Defect #17770: very simple fix: that causes many sites to break, and much confusion - incorrect use of .js suffixNew

Actions
Actions
Copy link

Also available in: Atom PDF