oss-sec mailing list archives

Re: MantisBT weakened CSP when using bundled Gravatar plugin

From: Damien Regad <dregad () mantisbt org>
Date: Wed, 31 Aug 2016 01:45:15 +0200

On 2016-08-30 01:31, Reed Loden wrote:

Any reason why you don't just always use the https:// version for Gravatar
here? Why ever use http://? Even if the MantisBT install is on HTTP, best
to always load any third-party resources over TLS to better protect against
MITM.

Just surprised me to see this:
https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169


Hi Reed,

To be honest, I'm not quite sure, and never thought about it... I did
not author this code, which has been like this since before I even
joined the project [1]. The implementation of Gravatar as a plugin just
recycled the existing code.

IMO your suggestion to always use https makes sense, I'm cc'ing the
MantisBT dev list as this is probably better discussed there. You're
also welcome to open an issue in our tracker if you want.

Cheers
Damien

[1] https://mantisbt.org/bugs/view.php?id=8882
    https://github.com/mantisbt/mantisbt/commit/241f91d59

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 27)
- Re: MantisBT weakened CSP when using bundled Gravatar plugin cve-assign (Aug 29)
  - Re: Re: MantisBT weakened CSP when using bundled Gravatar plugin Reed Loden (Aug 29)
    - Re: MantisBT weakened CSP when using bundled Gravatar plugin Damien Regad (Aug 30)