Fossil: View Ticket

2011-09-15
21:40		• Fixed ticket [2316d926e3]: test_env visible when not logged in and no capabilities plus 2 other changes ... (artifact: 14f3170792 user: stephan)
21:39		test_env command now requires g.perm.Admin or g.perm.Setup. Resolves ticket [2316d926e376aa]. ... (check-in: 2d71977e98 user: stephan tags: trunk)
2011-06-27
21:08		• Ticket [2316d926e3] test_env visible when not logged in and no capabilities status still Open with 2 other changes ... (artifact: ee6d285533 user: ben)
20:06		• New ticket [2316d926e3]. ... (artifact: b615f14ef8 user: anonymous)

Ticket Hash:	2316d926e376aa56ab5fef97f12dc1690bb5b609
Title:	test_env visible when not logged in and no capabilities
Status:	Fixed	Type:	Code_Defect
Severity:	Minor	Priority:
Subsystem:		Resolution:	Fixed
Last Modified:	2011-09-15 21:40:31 14.55 years ago	Created:	2011-06-27 20:06:46 14.77 years ago
Version Found In:	tip

Description:

this link:

http://www.fossil-scm.org/index.html/test_env

... probably shouldn't work for non-admins, but esp. not the `nobody` user, and esp.x2 when they have zero capabilities :-)

ben added on 2011-06-27 21:08:27 UTC:
Also outputting the cookie value in the response body is not recommended for web application security, and negates all the benefits of using the HttpOnly option when setting cookies.

stephan added on 2011-09-15 21:40:31 UTC:
Fixed in [2d71977e984b5e2]. test_env now requires setup or admin privileges.

(That said, the info displayed on test_env isn't "too" private, IMO.)