2007-11-14 02:40:14 |
Matthew Paul Thomas |
bug |
|
|
added bug |
2008-04-15 16:47:01 |
Diogo Matsubara |
launchpad: status |
New |
Incomplete |
|
2008-04-17 08:07:50 |
Matthew Paul Thomas |
description |
1. Go to <http://urlx.org/launchpad.net/6ee5c>.
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you. |
1. Go to <https://launchpad.net/+logout>.
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you. |
|
2008-04-17 08:09:02 |
Matthew Paul Thomas |
description |
1. Go to <https://launchpad.net/+logout>.
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you. |
1. Go to <http://snipurl.com/24pn8>.
2. Try to do anything that requires you to be logged in to Launchpad.
What happens: You get either a login page, or an "application error" (bug 2115).
This is not a security problem, but it is an annoyance: random Web pages shouldn't be able to log you out of Launchpad. One way of fixing this would be to make logout require a POST, and require a token that's included as a hidden form field in all pages Launchpad serves you. |
|
2008-04-17 08:09:23 |
Matthew Paul Thomas |
launchpad: status |
Incomplete |
New |
|
2008-04-17 12:23:47 |
Diogo Matsubara |
launchpad: status |
New |
Confirmed |
|
2010-11-13 21:56:12 |
Curtis Hovey |
launchpad-foundations: status |
Confirmed |
Triaged |
|
2010-11-13 21:56:15 |
Curtis Hovey |
launchpad-foundations: importance |
Undecided |
Low |
|
2011-03-23 02:42:59 |
Robert Collins |
summary |
A +logout link anywhere can log you out of Launchpad |
GET /+logout link from any referrer will cause Launchpad to log the user out |
|