[OpenStreetMap] #4522: Harry's minor friend making vulnerability

OpenStreetMap trac at openstreetmap.org
Tue Aug 14 21:56:40 BST 2012


#4522: Harry's minor friend making vulnerability
------------------------+---------------------------------------------------
 Reporter:  Harry Wood  |       Owner:  rails-dev@…                
     Type:  defect      |      Status:  new                        
 Priority:  minor       |   Milestone:                             
Component:  website     |     Version:                             
 Keywords:              |  
------------------------+---------------------------------------------------
 We have a GET url for adding a friend without further prompts. E.g. click
 here to be my friend:
 [http://www.openstreetmap.org/user/Harry%20Wood/make_friend
 http://www.openstreetmap.org/user/Harry%20Wood/make_friend]

 Obviously if I can trick anyone into following that link then I get to be
 their friend, which can be done in sneaky ways for example:

 http://harrywood.dev.openstreetmap.org/amazing.html


 Guess the fix would be to make it show a Yes/No confirmation at this URL.

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/4522>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world



More information about the rails-dev mailing list