Date: Wed, 31 Aug 2016 01:45:15 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Cc: Mantisbt-dev@...ts.sourceforge.net Subject: Re: MantisBT weakened CSP when using bundled Gravatar plugin On 2016-08-30 01:31, Reed Loden wrote: > Any reason why you don't just always use the https:// version for Gravatar > here? Why ever use http://? Even if the MantisBT install is on HTTP, best > to always load any third-party resources over TLS to better protect against > MITM. > > Just surprised me to see this: > https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169 Hi Reed, To be honest, I'm not quite sure, and never thought about it... I did not author this code, which has been like this since before I even joined the project . The implementation of Gravatar as a plugin just recycled the existing code. IMO your suggestion to always use https makes sense, I'm cc'ing the MantisBT dev list as this is probably better discussed there. You're also welcome to open an issue in our tracker if you want. Cheers Damien  https://mantisbt.org/bugs/view.php?id=8882 https://github.com/mantisbt/mantisbt/commit/241f91d59 Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ