GET /+logout link from any referrer will cause Launchpad to log the user out
Bug #162552 reported by
Matthew Paul Thomas
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
1. Go to <http://
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you.
description: | updated |
description: | updated |
Changed in launchpad: | |
status: | Incomplete → New |
Changed in launchpad: | |
status: | New → Confirmed |
Changed in launchpad-foundations: | |
status: | Confirmed → Triaged |
importance: | Undecided → Low |
summary: |
- A +logout link anywhere can log you out of Launchpad + GET /+logout link from any referrer will cause Launchpad to log the user + out |
To post a comment you must log in.
Matthew, can you update the URL? I tried the one you gave but it seems the urlx.org service has been shut down.
Thanks