[OpenStreetMap] #4522: Harry's minor friend making vulnerability
OpenStreetMap
trac at openstreetmap.org
Tue Aug 14 21:56:40 BST 2012
#4522: Harry's minor friend making vulnerability
------------------------+---------------------------------------------------
Reporter: Harry Wood | Owner: rails-dev@…
Type: defect | Status: new
Priority: minor | Milestone:
Component: website | Version:
Keywords: |
------------------------+---------------------------------------------------
We have a GET url for adding a friend without further prompts. E.g. click
here to be my friend:
[http://www.openstreetmap.org/user/Harry%20Wood/make_friend
http://www.openstreetmap.org/user/Harry%20Wood/make_friend]
Obviously if I can trick anyone into following that link then I get to be
their friend, which can be done in sneaky ways for example:
http://harrywood.dev.openstreetmap.org/amazing.html
Guess the fix would be to make it show a Yes/No confirmation at this URL.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/4522>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list