Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#52 Repository Username/Password disclosure

closed-invalid
nobody
None
5
2007-06-17
2007-06-15
No

in viewtopicproperties.html.tmpl topic's repository is displayed (line 140) using template code:
[% entry | html_entity %]
This leads to username/password disclosure if they are inlined into repository URL.

I use
[% entry | replace (';.*', '') | html_entity %]
but this is a simple workaround as full URL still present as hidden input field.

Codestriker 0.9.3

Discussion

  • David Sitsky
    David Sitsky
    2007-06-17

    • status: open --> closed-invalid
     
  • David Sitsky
    David Sitsky
    2007-06-17

    Logged In: YES
    user_id=208928
    Originator: NO

    Define the $repository_name_map configuration variable in your codestriker.conf file if you want to give an alternative printable representation of your repository string. This is commonly used to hide password information.