etherpad-lite

History

Richard Hansen b80a37173e security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.	2020-09-15 21:40:25 +01:00
..
specs	security: Fix authorization bypass vulnerability	2020-09-15 21:40:25 +01:00
fuzzImportTest.js	tests: fuzzing, binary imports	2020-06-01 17:26:55 +01:00

Richard Hansen b80a37173e security: Fix authorization bypass vulnerability

Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.

2020-09-15 21:40:25 +01:00

specs

security: Fix authorization bypass vulnerability

2020-09-15 21:40:25 +01:00

fuzzImportTest.js

tests: fuzzing, binary imports

2020-06-01 17:26:55 +01:00