On Saturday, July 12, 2014 11:30:00 AM you wrote: > On Sat, 2014-07-12 at 09:11 +0200, xor wrote: > > Thanks for the very short clarification! > > I've used this as a foundation for a pull request which JavaDocs the > > formPassword variable and relevant functions, please review it: > > > > https://github.com/freenet/fred-staging/pull/260 > > Looks good to me.
Thanks. I've posted a comment stating that you ACKed this pull request. > > Also, I have a question about the standard form password validation > > function: > > > > https://github.com/xor-freenet/fred-staging/blob/f2ddcb9cd8c44346e74f6f143 > > 13e01f12871d2a2/src/freenet/support/plugins/helpers1/WebInterfaceToadlet.j > > ava#L71 > > > > It first tries to obtain it from a GET-variable, then from POST. > > Isn't it unsafe to pass this around via GET? > > It is; and yes, we should only call req.getPartAsStringFailsafe()... but > doing so will break existing "broken" calls. I've filed a bug for this at [0] I've checked, and WOT doesn't even use this class, it has a copy-pasta of it which is much more powerful. I don't know who uses it. However given that we want performance fixes soon, I won't change WOT to use it any soon. I've filed a bugtracker entry for making WOT use it [1]. I've implemented anti-CSRF in the WOT class now: https://github.com/freenet/plugin-WoT-staging/commit/4aa6cd8416b2a8fd7e21c0a3d018e4835e079351 It passes down a parameter "mayWrite" to WebPage objects which render the actual page. That parameter is only true if the request was POST and the formPassword did validate. Thanks for your help! [0] https://bugs.freenetproject.org/view.php?id=6237 [1] https://bugs.freenetproject.org/view.php?id=6222
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
