oss-sec mailing list archives
Re: MantisBT weakened CSP when using bundled Gravatar plugin
From: Damien Regad <dregad () mantisbt org>
Date: Wed, 31 Aug 2016 01:45:15 +0200
On 2016-08-30 01:31, Reed Loden wrote:
Any reason why you don't just always use the https:// version for Gravatar here? Why ever use http://? Even if the MantisBT install is on HTTP, best to always load any third-party resources over TLS to better protect against MITM. Just surprised me to see this: https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169
Hi Reed, To be honest, I'm not quite sure, and never thought about it... I did not author this code, which has been like this since before I even joined the project [1]. The implementation of Gravatar as a plugin just recycled the existing code. IMO your suggestion to always use https makes sense, I'm cc'ing the MantisBT dev list as this is probably better discussed there. You're also welcome to open an issue in our tracker if you want. Cheers Damien [1] https://mantisbt.org/bugs/view.php?id=8882 https://github.com/mantisbt/mantisbt/commit/241f91d59
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 27)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 30)
- Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)