Translation downloads should provide https link
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Colin Watson |
Bug Description
When I request a translation download, the link provided in the email to download the translations from is http://
I asked about this on #launchpad, and wgrant said that "Those links are actually unsecured because people complained in like 2007 that HTTPS was slow" but "We're less likely to get backlash for security now".
A lot has changed in the last 8 years, and returned data which could allow an attack via C format specifiers in translated strings definitely seems worth protecting. Or at least offer a choice of links in the email so we don't have to modify them by hand to be get security.
Related branches
- Thiago F. Pappacena (community): Approve
-
Diff: 40 lines (+9/-2)2 files modifiedlib/lp/translations/scripts/po_export_queue.py (+1/-1)
lib/lp/translations/tests/test_exportresult.py (+8/-1)
tags: | added: email lp-translations trivial |
Changed in launchpad: | |
assignee: | nobody → Colin Watson (cjwatson) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in launchpad: | |
status: | In Progress → Fix Released |
I could see that in 2007, using HTTPS would be an annoyance, now its should be the default. Many major orgs are pushing that way, like EFF, Google, and more.