Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] don't write URL data to ddoc #3

Closed
mandric opened this issue Mar 27, 2018 · 1 comment
Closed

[security] don't write URL data to ddoc #3

mandric opened this issue Mar 27, 2018 · 1 comment

Comments

@mandric
Copy link
Member

mandric commented Mar 27, 2018

A security issue was found if you are using this module and kanso push to deploy your ddoc because the URL of the location is inadvertently written to the ddoc. The URL is sensitive because it can also include authentication information.

Initial security report was on Jul 12, 2017 [1] and doesn't contain much info because it was kept private initially. A fix [2] was applied a few days later to the setting package on Git and pushed to package repo as well. I created a PR [3] (@caolan, please review and merge) to update the settings package readme to include a security note about upgrading to version >= 0.16.

[1] medic/cht-core#3648

[2] d5c8307

[3] #2

@caolan
Copy link
Member

caolan commented Mar 28, 2018

Thanks @mandric, I've merged your note in the changelog.

@mandric mandric closed this as completed Jun 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants