Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 31 Aug 2016 01:45:15 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Cc: Mantisbt-dev@...ts.sourceforge.net
Subject: Re: MantisBT weakened CSP when using bundled Gravatar plugin

On 2016-08-30 01:31, Reed Loden wrote:
> Any reason why you don't just always use the https:// version for Gravatar
> here? Why ever use http://? Even if the MantisBT install is on HTTP, best
> to always load any third-party resources over TLS to better protect against
> MITM.
> 
> Just surprised me to see this:
> https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169

Hi Reed,

To be honest, I'm not quite sure, and never thought about it... I did
not author this code, which has been like this since before I even
joined the project [1]. The implementation of Gravatar as a plugin just
recycled the existing code.

IMO your suggestion to always use https makes sense, I'm cc'ing the
MantisBT dev list as this is probably better discussed there. You're
also welcome to open an issue in our tracker if you want.

Cheers
Damien

[1] https://mantisbt.org/bugs/view.php?id=8882
    https://github.com/mantisbt/mantisbt/commit/241f91d59



Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.