possible security bug on @auth.requires_login() with post_vars

[André Kablu]

The steps to reproduce the error:

1) create a controller with requires_login()

2) make this controller post to itself (lets suppose this field is a credit card number)

3) login to application

4) go to controller and fill the credit card field / secret field, but not submit yet

5) hold until auth session expires

6) click the submit button

Now the secret field post or whatever data you are submitting is exposed into the URL as GET vars, and worse, saved into browser history

 

This happens b/c even post_vars are writen into the URL when requires_login is called.

This may be an issue if your app handles passwords, keys, secure data, secrets, etc...

Maybe the solution is to store post_vars into session during this kind of action?

Should we consider this as issue or not?

[Massimo Di Pierro]

Very bad. I think it is now fixed in trunk. Can you please check it? I will then commit a 2.8.3.

Massimo

--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[André Kablu]

Hi Massimo,

Very good! The fix works fine!

Thanks!

André Kablu