GET /+logout link from any referrer will cause Launchpad to log the user out
Bug #162552 reported by
Matthew Paul Thomas
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
1. Go to <http://
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you.
Revision history for this message
| Diogo Matsubara (matsubara) wrote | #1 |
| Changed in launchpad: | |
| status: | New → Incomplete |
| description: | updated |
| description: | updated |
| Changed in launchpad: | |
| status: | Incomplete → New |
| Changed in launchpad: | |
| status: | New → Confirmed |
| Changed in launchpad-foundations: | |
| status: | Confirmed → Triaged |
| importance: | Undecided → Low |
| summary: |
- A +logout link anywhere can log you out of Launchpad + GET /+logout link from any referrer will cause Launchpad to log the user + out |
To post a comment you must log in.
Matthew, can you update the URL? I tried the one you gave but it seems the urlx.org service has been shut down.
Thanks