On Fri, 26 Jun 2015 at 23:40:26, Gordian Edenhofer wrote: > [...] > I forgot that I used $_REQUEST, I though that it was $_POST. My bad! > Though if I think of it, it just might be a good idea to switch to > $_POST since then $_GET parameters like "?refer" would not be > concidered and only $_SERVER['HTTP_REFERER'] or a POST "referer" would > be accepted. Shell I submit another patch for that or is the gain in > security negligible? >
I would say it is negligible. Let's take advantage of this now to implement the redirection as I suggested. We need to fix the security issues properly in another patch series in any case. > [...] > Flagging, voting, notifying and adopting a package is all done through > POST requests AFAIK. Deleting or merging a package is not even > available for unauthenticated users. > Hence a malicious URL would not flag a package since the corresponding > variable is not set. Yeah, you're right. We also use a CSRF token in most places. It should be implemented properly at some point anyway.
