[SOGo] Exception in processing of unicode strings
Wolfgang Sourdeau
sogo@opengroupware.org
Wed, 21 Nov 2007 11:47:49 -0500
On 2007-11-21 10:46:10 -0500 Helge Hess <helge.hess@opengroupware.org>
wrote:
> On 21.11.2007, at 15:14, Wolfgang Sourdeau wrote:
>>> On 21.11.2007, at 10:12, Ivanov Dmitri wrote:
>>>> 172.16.0.215 - - [21/Nov/2007:11:57:28 GMT] "POST /SOGo/so/connect?
>>>> userName=ivanov_dv&password=XXXXXX HTTP/1.1" 204 0/0 0.478 - - 992K
>>> Oh oh, *major* security flaw! The password is transferred in the
>>> URL??? Or did you add that manually for your debugging?
>>> [its already a POST, so no reason to transfer the password in the
>>> URL]
>> It's actually done as a GET through an AJAX request.
>
> The log clearly shows that its a regular POST? Just add the password
> parameter to the content of the post (eg by using a hidden field if
> you
> can't transfer it directly).
Yes, I was mistaken. It is a POST. I just fixed the problem here. It
will be commited tonight.
Wolfgang