Just an update that this fix has been merged into the edge branch. On Mon, Mar 16, 2009 at 7:44 PM, Carl Fyffe <[email protected]> wrote:
> > Nice catch Justin. IP address is being captured and displayed, but the > author information is not when login is required. I don't know if that > changes under anonymous posting, so this may be a concern if you allow > anonymous comments. I don't see a requirement for show, so removing it > may be a good way to go. > > On Mon, Mar 16, 2009 at 7:45 PM, Justin G <[email protected]> wrote: > > > > I've found what I believe is a security bug in the comments > > controller. Here is the offending action: > > > > def show > > @comment = Comment.find(params[:id]) > > render :text => @comment.inspect > > end > > > > The problem is that we are rendering the entire comment object to any > > logged in user. This gives anyone access to a few fields that we > > should keep private. In particular, I'm worried about the > > author_email and author_ip fields. > > > > Here is a patch where I removed the comment show action entirely: > > > http://github.com/jtgeibel/communityengine/commit/d5699273f3c6ad5d18c3d924f1d8e0626ce1d419 > > > > Alternatively, you could check if the current user is an admin before > > rendering. > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CommunityEngine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/communityengine?hl=en -~----------~----~----~----~------~----~------~--~---
