[Tickets #8200] Re: Aviary's Phoenix image editor support
bugs at horde.org
bugs at horde.org
Fri Apr 24 03:42:10 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8200
------------------------------------------------------------------------------
Ticket | 8200
Updated By | Michael Rubinsky <mrubinsk at horde.org>
Summary | Aviary's Phoenix image editor support
Queue | Ansel
Version | HEAD
Type | Enhancement
State | Accepted
Priority | 1. Low
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Michael Rubinsky <mrubinsk at horde.org> (2009-04-23 23:42) wrote:
Looking at this further, I think we should probably wait until this
API matures a bit, or the "advanced api" version is implemented. With
the simple API there is no shared secret between the client server and
Aviary, only a client specified identifier for each image that is
passed to Aviary in a GET request. After saving the image, Aviary
POSTS back to the client server a URL to find the new image, along
with the same identifier that was originally passed in the clear via
GET. So, unless I'm missing something, it would theoretically be
possible for a 3rd party to hijack this identifier and cause the
user's image to be replaced.
More information about the bugs
mailing list