6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
11/27/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#5307] Upgrade Prototype to 1.5.1_rc3 and make use of CSRF protection
*
Your Email Address
*
Spam protection
Enter the letters below:
__ .___.___._.. , / `[__ [__ | \./ \__.[___[____|_ |
Comment
> imp.js.php and dimp.js.php are served as javascript, so if we don't > protect them, someone can request them remotely (assuming a user is > logged in to horde, which isn't far-fetched for these purposes) and > steal a session id embedded in the javascript. So these need to be > changed to go through the /*secure* trick somehow (and they can't > just call evalJson in those files - then the attacker would just > define evalJson), or inlined like I did for Kronolith and Gollem. > > > > I'm hoping to pass this off since Michael, you're more familiar with > the current js structure of dimp/imp, and frankly I'm a bit friend on > bugs at the moment. Had a bad weekend with Turba. :)
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers