![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
[dreamwidth/dw-free] 40a6f6: Fixes #2061.
Branch: refs/heads/develop
Home: https://github.com/dreamwidth/dw-free
Commit: 40a6f6dd8631de47873f49283ba91ef76004a0d8
https://github.com/dreamwidth/dw-free/commit/40a6f6dd8631de47873f49283ba91ef76004a0d8
Author: Denise Paolucci <denise@dreamwidth.org>
Date: 2017-03-31 (Fri, 31 Mar 2017)
Changed paths:
M cgi-bin/Apache/LiveJournal.pm
Log Message:
-----------
Fixes #2061.
Alters cgi-bin/Apache/LiveJournal.pm to change the Apache-default bare-unstyled 403 in the event of a non-public or non-existant reading page filter to a still-bare-unstyled page that at least has a link to the login page so people don't get stranded.
This has specifically been checked for enumeration attacks in the following situations:
* Specified filter does exist but logged-in user isn't authorized to see it;
* Specified filter does not exist, user is logged in;
* Specified filter does exist but is not public/remote not logged in;
* Specified filter does not exist user is not logged in
The error message is the same in all four scenarios, so people won't be able to use this to fish for filters that do exist but that they don't have access to.
Commit: f22d8416562f0f0fc003c804b5e5e602d58b4737
https://github.com/dreamwidth/dw-free/commit/f22d8416562f0f0fc003c804b5e5e602d58b4737
Author: Mark Smith <mark@qq.is>
Date: 2017-04-04 (Tue, 04 Apr 2017)
Changed paths:
M cgi-bin/Apache/LiveJournal.pm
Log Message:
-----------
Merge pull request #2063 from rahaeli/issue2016-readfilter
better/more helpful text on "not authorized for this filter" 403 error
Compare: https://github.com/dreamwidth/dw-free/compare/2cc27da226e6...f22d8416562f
Home: https://github.com/dreamwidth/dw-free
Commit: 40a6f6dd8631de47873f49283ba91ef76004a0d8
https://github.com/dreamwidth/dw-free/commit/40a6f6dd8631de47873f49283ba91ef76004a0d8
Author: Denise Paolucci <denise@dreamwidth.org>
Date: 2017-03-31 (Fri, 31 Mar 2017)
Changed paths:
M cgi-bin/Apache/LiveJournal.pm
Log Message:
-----------
Fixes #2061.
Alters cgi-bin/Apache/LiveJournal.pm to change the Apache-default bare-unstyled 403 in the event of a non-public or non-existant reading page filter to a still-bare-unstyled page that at least has a link to the login page so people don't get stranded.
This has specifically been checked for enumeration attacks in the following situations:
* Specified filter does exist but logged-in user isn't authorized to see it;
* Specified filter does not exist, user is logged in;
* Specified filter does exist but is not public/remote not logged in;
* Specified filter does not exist user is not logged in
The error message is the same in all four scenarios, so people won't be able to use this to fish for filters that do exist but that they don't have access to.
Commit: f22d8416562f0f0fc003c804b5e5e602d58b4737
https://github.com/dreamwidth/dw-free/commit/f22d8416562f0f0fc003c804b5e5e602d58b4737
Author: Mark Smith <mark@qq.is>
Date: 2017-04-04 (Tue, 04 Apr 2017)
Changed paths:
M cgi-bin/Apache/LiveJournal.pm
Log Message:
-----------
Merge pull request #2063 from rahaeli/issue2016-readfilter
better/more helpful text on "not authorized for this filter" 403 error
Compare: https://github.com/dreamwidth/dw-free/compare/2cc27da226e6...f22d8416562f