From: <gi...@ma...> - 2010-08-07 06:20:51
|
The branch, master has been updated via ed89d160e8aeebb16b857c78b3aec10748395e10 (commit) from 8c18b0ee0642a8ef82eee6d48cc7537bb059c2ba (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit ed89d160e8aeebb16b857c78b3aec10748395e10 Author: David Hicks <hic...@op...> Date: Sat Aug 7 16:19:34 2010 +1000 Add security warning comment to javascript_config.php Future developers need to be aware of the consequences of exposing configuration values using this JavaScript interface. ----------------------------------------------------------------------- Summary of changes: javascript_config.php | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) ----------------------------------------------------------------------- commit ed89d160e8aeebb16b857c78b3aec10748395e10 Author: David Hicks <hic...@op...> Date: Sat Aug 7 16:19:34 2010 +1000 Add security warning comment to javascript_config.php Future developers need to be aware of the consequences of exposing configuration values using this JavaScript interface. diff --git a/javascript_config.php b/javascript_config.php index 91a4f88..68041cf 100644 --- a/javascript_config.php +++ b/javascript_config.php @@ -30,6 +30,17 @@ function print_config_value( $p_config_key ) { echo "config['" . $p_config_key . "'] = '" . addslashes( config_get( $p_config_key ) ) . "';\n"; } +/** + * WARNING: DO NOT EXPOSE SENSITIVE CONFIGURATION VALUES! + * + * All configuration values below are publicly available to visitors of the bug + * tracker regardless of whether they're authenticated. Server paths should not + * be exposed. It is OK to expose paths that the user sees directly (short + * paths) but you do need to be careful in your selections. Consider servers + * using URL rewriting engines to mask/convert user-visible paths to paths that + * should only be known internally to the server. + */ + echo "var config = new Array();\n"; print_config_value( 'calendar_js_date_format' ); print_config_value( 'icon_path' ); ----------------------------------------------------------------------- -- Mantis Bug Tracker |