Anonymous users have acces to the "saved-searches/add" page of registered users. In our case this is a problem because the user is able to view the name of the registered user in the title of the page.
Reproduce (latest dev version):
- Enable the option to create your own saved searches
- Open an incognito window and visit "user/[your-uid]/saved-searches/add".
Anonymous users should only be allowed to visit "user/0/saved-searches/add".
The page "user/[uid]/saved-searches" is correctly hidden for anonymous users.
Regards,
Thomas
Comment | File | Size | Author |
---|---|---|---|
#3 | 2856331-3--usernames_visible.patch | 1.58 KB | drunken monkey |
Comments
Comment #2
thomas.krooshof.bc CreditAttribution: thomas.krooshof.bc commentedComment #3
drunken monkeyThanks a lot for reporting this!
The attached patch should fix this – please test!
Also, as a side note in case you aren't aware, normally you should follow the official procedure for security issues in such cases (information disclosure, in this case). However, as per the documentation, usernames aren't considered security-critical, so in this specific case it's fine to discuss and fix this in a public issue.
Comment #4
thomas.krooshof.bc CreditAttribution: thomas.krooshof.bc commentedSorry for the late response. I have tested the patch and it works! Thank you!
Comment #5
thomas.krooshof.bc CreditAttribution: thomas.krooshof.bc commented@drunken monkey Should i update the issue to Reviewed & tested?
Comment #7
drunken monkeyGood to hear, thanks for testing!
Yes, please set the status to that in the future. If you write that it works for you, that's usually just as good for me, though. I might just miss it if I just review the RTBC issues.
Anyways: committed.
Thanks again for your help in getting this fixed!