[cl-weblocks-ticket] Re: #45: Don't use gensym for actions to avoid XSS attacks
cl-weblocks
cl-weblocks-devel at common-lisp.net
Wed Aug 1 20:40:48 UTC 2007
#45: Don't use gensym for actions to avoid XSS attacks
------------------------+---------------------------------------------------
Reporter: anonymous | Owner: sakhmechet
Type: defect | Status: new
Priority: low | Milestone: 0.2
Component: weblocks | Version: pre-0.1
Resolution: | Keywords: security
------------------------+---------------------------------------------------
Changes (by sakhmechet):
* milestone: => 0.2
* priority: critical => low
* version: => pre-0.1
Comment:
I don't think this is an issue. Weblocks stores actions per session
specifically so that a user cannot access another user's actions (unless
the session has been highjacked). If a malicious site generates a lot of
'transfer' actions the user still won't be able to access them.
It's probably better to use a scheme that makes action URLs harder to
guess anyway, but this isn't critical. Moving to 0.2.
--
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks
More information about the Cl-weblocks-ticket
mailing list