Opened at 2010-01-16T17:47:22Z
Last modified at 2013-09-14T17:39:02Z
#907 assigned defect
Stop caps from leaking to phishing filters — at Initial Version
Reported by: | davidsarah | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | eventually |
Component: | code-frontend-web | Version: | 1.5.0 |
Keywords: | capleak integrity confidentiality forward-compatibility newurls docs websec | Cc: | |
Launchpad Bug: |
Description
Some phishing filters send URLs to a filter on some other machine. That's a bad idea and probably not very effective at preventing phishing, but they do it anyway. However, they strip query parts before sending it to the filter (according to Tyler Close and the web calculus documentation).
The webapi accepts URLs of the form http://host:port/uri?uri=..., but it redirects to an URL of the form http://host:port/uri/.... We should prefer to put the cap in the query, and we should probably also allow the shorter form http://host:port/?....
Note: See
TracTickets for help on using
tickets.