github
id | node_id | number | title | user | state | locked | assignee | milestone | comments | created_at | updated_at | closed_at | author_association | pull_request | body | repo | type | active_lock_reason | performed_via_github_app | reactions | draft | state_reason |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
675724951 | MDU6SXNzdWU2NzU3MjQ5NTE= | 918 | Security issue: read-only canned queries leak CSRF token in URL | 9599 | closed | 0 | 4 | 2020-08-09T16:03:01Z | 2020-08-09T16:56:48Z | 2020-08-09T16:11:59Z | OWNER | The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698). This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to: https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=IlFubnoxVVpLU1NGT3NMVUoi.HbOPd2YH_epQmp8f_aAt0s-MxtU This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/918/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | ||||||
675727366 | MDU6SXNzdWU2NzU3MjczNjY= | 919 | Travis should not build the master branch, only the main branch | 9599 | closed | 0 | 3 | 2020-08-09T16:18:25Z | 2020-08-09T16:26:18Z | 2020-08-09T16:19:37Z | OWNER | Caused by #849 - since we are mirroring the two branches (to ensure old links to `master` keep working) Travis is building both. The following in `.travis.yml` should fix that: ``` branches: except: - master ``` | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/919/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed |