@Gordon, so I have a couple question for the impact description draft.
From the bug description, it appears that the leaked "request.HTTP_X_AUTH_TOKEN: 4724" is not the same than the one provided in the curl command "-H 'X-Auth-Token: 258ab"
So is the leak the token of the user requesting the notifier, or is it the admin_token defined in [filter:authtoken] configuration ?
The conditions for this leak to happen is when the notifier middleware is set after authtoken, which is not by default right ?
@Gordon, so I have a couple question for the impact description draft.
From the bug description, it appears that the leaked "request. HTTP_X_ AUTH_TOKEN: 4724" is not the same than the one provided in the curl command "-H 'X-Auth-Token: 258ab"
So is the leak the token of the user requesting the notifier, or is it the admin_token defined in [filter:authtoken] configuration ?
The conditions for this leak to happen is when the notifier middleware is set after authtoken, which is not by default right ?