[dev] Deprecated elements
Michael M Slusarz
slusarz at horde.org
Sat Mar 16 15:23:19 UTC 2013
Quoting Chuck Hagenbuch <chuck at horde.org>:
> go.php/Horde::externalUrl() is for making sure that session ids in
> GET don't get passed to external sites. So unless I'm
> misunderstanding, this is a separate thing.
Maybe Im misreading go.php, but this doesn't seem to be the case. 80%
of that script is dealing with looking at the target URL and
displaying "Dangerous URL" if the target is the same server as the
Horde installation. This to me screams "token protection".
Regardless, I guess I am still confused as to how our session ID can
be "leaked" via a URL? If this is somehow happening in URLs we are
generating, that almost certainly is an error that needs to be fixed
at the generation level - not attempted to be caught by some referrer
script.
> Possible that we don't use the
> signQueryString/verifySignedQueryString elsewhere, but they seem
> like useful pieces to me? No strong opinion though.
They might be useful, but not universally so. At least not something
that needs to be in our general Horde library and loaded on every page.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list