Nice catch Justin. IP address is being captured and displayed, but the author information is not when login is required. I don't know if that changes under anonymous posting, so this may be a concern if you allow anonymous comments. I don't see a requirement for show, so removing it may be a good way to go.
On Mon, Mar 16, 2009 at 7:45 PM, Justin G <[email protected]> wrote: > > I've found what I believe is a security bug in the comments > controller. Here is the offending action: > > def show > �...@comment = Comment.find(params[:id]) > render :text => @comment.inspect > end > > The problem is that we are rendering the entire comment object to any > logged in user. This gives anyone access to a few fields that we > should keep private. In particular, I'm worried about the > author_email and author_ip fields. > > Here is a patch where I removed the comment show action entirely: > http://github.com/jtgeibel/communityengine/commit/d5699273f3c6ad5d18c3d924f1d8e0626ce1d419 > > Alternatively, you could check if the current user is an admin before > rendering. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/communityengine?hl=en -~----------~----~----~----~------~----~------~--~---
