Do not accept save requests with credentials leaked in the origin URL
Closed, MigratedEdits Locked
Actions

Assigned To

Authored By

	anlambert
	May 13 2022, 3:49 PM

Description

Currently, it is possible to submit a Save Code Now request with an origin URL containing HTTP basic authentication credentials.

As all submitted save requests are publicly browsable, we should forbid to submit such origin URLs to avoid leaking sensible data.

To do so, we must:

invalidate Save Code Now form client-side when such an origin URL is submitted
reject save request on the backend side when detecting such origin URL (in case request is submitted directly through our Web API)

rDWAPPS Web applications
	D7843	rDWAPPSf2d6fec278db origin_save: Reject save request when origin URL contains a password

anlambert triaged this task as Normal priority.May 13 2022, 3:49 PM

anlambert created this task.

This has been implemented and deployed.