[Filebin-general] CSRF protection, JSON api, information disclosure issue

Florian Pritz bluewind at xinu.at
Tue Sep 3 16:01:48 CEST 2013


Hi,

I've just pushed some changes to master, the most important ones being:

CSRF protection for pretty much every page (not for the upload pages to
prevent people from getting error because of timed out tokens if they
keep the page open for some time). This change shouldn't cause any
problems, but please take a look at the code to make sure I don't
disable it in valid cases.

The second big change is a newly create JSON api which for now only
works for a few functions, more will be added later. Information on how
to use it is available in the wiki[1].

[1]: https://wiki.server-speed.net/projects/filebin/api

Also there is a commit (fbd587a6) that fixes an information disclosure
issue which anyone using the built in db instead of an external
authentication mechanism should apply soonish.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.server-speed.net/archives/filebin-general/attachments/20130903/5d60343f/attachment.asc>


More information about the Filebin-general mailing list