Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use current user rather than form user id which can be spoofed #3077

Merged
merged 1 commit into from
Dec 9, 2021

Conversation

raycarrick-ed
Copy link
Contributor

Fixes #603 .

Changes proposed in this PR:

  • use current user id for comments rather than the user id on the form
  • the above ticket listed a couple of "security issues" which came from Erasmus. This is the second.
  • if someone edits the html and replaces the userid with one for someone who has permissions to comment they can spoof the user. Only works with people who have permission to comment so not a big deal but, still, might as well plug it.

@raycarrick-ed raycarrick-ed requested a review from briri December 9, 2021 13:11
Copy link
Contributor

@briri briri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @raycarrick-ed. Thanks for patching this

@briri briri merged commit 88a7115 into master Dec 9, 2021
@briri briri deleted the comment_user_fix branch December 9, 2021 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants