Fossil SCM

← Back to Tickets

test_env visible when not logged in and no capabilities

Fixed

2316d926e376aa5… · opened 14 years, 9 months ago

Type
Code_Defect
Priority
Severity
Minor
Resolution
Fixed
Subsystem
Created
June 27, 2011 8:06 p.m.

this link:

http://www.fossil-scm.org/index.html/test_env

... probably shouldn't work for non-admins, but esp. not the nobody user, and esp.x2 when they have zero capabilities :-)

ben added on 2011-06-27 21:08:27 UTC: Also outputting the cookie value in the response body is not recommended for web application security, and negates all the benefits of using the HttpOnly option when setting cookies.

stephan added on 2011-09-15 21:40:31 UTC: Fixed in [2d71977e984b5e2]. test_env now requires setup or admin privileges.

(That said, the info displayed on test_env isn't "too" private, IMO.)



Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button