Hi Utkarsh, all
After reading the description of this CVE again I realize that I
misunderstood the description last time.
The problem is that the "referrer" header is not stripped.
This changes my conclusion to some extent.
I see no problem with fixing this issue from a regression point of
Hi Utkarsh, all
Is this even a vulnerability?
The problem is that authentication information is not stripped if the
browser is redirected to another place.
If you trust a site enough to provide authentication data, I guess you also
trust that if that site happens to be relocated you should also
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
March was my 37th month as a Debian LTS paid contributor. I was
assigned 9 hours and I spent all of them for the following;
* smarty3: Backported patches for CVE-2018-13982, CVE-2021-26119,
CVE-2021-26120, CVE-2018-16831. Tested and uploaded.
