[#21722] - [3.9] Make sure we don't send a referrer on the remind and reset views
- Fixed in Code Base
- 3 Sep 2018
- Medium
- Build: staging
- # 21722
- Diff
- zero-24:referrer
User tests: Successful: Unsuccessful:
Summary of Changes
Make sure we don't send a referrer on the remind and reset views
Testing Instructions
- Apply this patch
- go to the remind page and request and remind token
- click on the link that is send to you
- check the http header of that page with the F12 developer tools.
Expected result
On this specific page we set the Referrer-Policy and set it to no-referrer so no referrer is send.
Actual result
We do not send that policy.
Documentation Changes Required
None.
Additional Information
This is a pull request for an report to the security team where the @joomla/security team decided to move the patch to the public tracker.
Thanks to Pim Feltkamp & Vipul Sahu for reporting this to us.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_users |
Where do you want me to add the header call?
Where do you want me to add the header call?
Headers should be set in whatever controller is triggering the view, in this case that'd be /components/com_users/controller.php
| Labels |
Added:
?
|
||
is something we should also need to consider in the privacy-framework ?
is something we should also need to consider in the privacy-framework ?
You can apply that on any page where you send a mail with a token in the URL. I'm not 100% sure but if you have a similar page please do so.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/21722.
I have tested this item
Before patch:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 3778
Content-Type: text/html; charset=utf-8
Date: Fri, 31 Aug 2018 13:00:04 GMT
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Last-Modified: Fri, 31 Aug 2018 13:00:05 GMT
Pragma: no-cache
Server: Apache/2.4.29 (Win32) OpenSSL/1.0.2n PHP/7.0.28
Vary: Accept-Encoding
X-Powered-By: PHP/7.0.28
After patch:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 3775
Content-Type: text/html; charset=utf-8
Date: Fri, 31 Aug 2018 13:20:18 GMT
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Last-Modified: Fri, 31 Aug 2018 13:20:19 GMT
Pragma: no-cache
Referrer-Policy: no-referrer
Server: Apache/2.4.29 (Win32) OpenSSL/1.0.2n PHP/7.0.28
Vary: Accept-Encoding
X-Powered-By: PHP/7.0.28
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/21722.
| Status | Pending | ⇒ | Ready to Commit |
Ready to Commit after two successful tests.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-09-03 17:13:54 |
| Closed_By | ⇒ | mbabker | |
| Labels |
Added:
?
|
||
| Title |
|
||||||
This is ok. But I think this belongs in the controller not the view?