View Ticket
Not logged in
Ticket UUID: 2316d926e376aa56ab5fef97f12dc1690bb5b609
Title: test_env visible when not logged in and no capabilities
Status: Fixed Type: Code_Defect
Severity: Minor Priority:
Subsystem: Resolution: Fixed
Last Modified: 2011-09-15 21:40:31
Version Found In: tip
Description & Comments:
this link:

http://www.fossil-scm.org/index.html/test_env

... probably shouldn't work for non-admins, but esp. not the `nobody` user, and esp.x2 when they have zero capabilities :-)


ben added on 2011-06-27 21:08:27 UTC:
Also outputting the cookie value in the response body is not recommended for web application security, and negates all the benefits of using the HttpOnly option when setting cookies.


stephan added on 2011-09-15 21:40:31 UTC:
Fixed in [2d71977e984b5e2]. test_env now requires setup or admin privileges.

(That said, the info displayed on test_env isn't "too" private, IMO.)