Protected page content visible to curl before redirect

Created on 22 January 2023, over 2 years ago

Updated 23 January 2023, over 2 years ago

Hi,
Client flagged this one and I have confirmed.

The (potentially sensitive, hence the use of this module) content of the protected pages is plainly visible to curl before the 302 redirect kicks in.

Reproduce:

Action: Visit https://mydrupalsite/protected-url in browser
Result: 302 redirect occurs as normal (confirm in devtools), redirected to password input page

Action: Enter curl https://mydrupalsite/protected-url in terminal and inspect output
Result: Full page source of "protected" page clearly visible and accessible

🐛 Bug report

Status

Needs review

Version

1.4

Component

Code

Created by

skversa

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @skversa
Comment over 2 years ago →
skversa
Assigned to diegors
Comment over 2 years ago →
🇧🇷Brazil diegors Campinas - Brazil
Working on it.
@diegors opened merge request.
Issue was unassigned.
Status changed to Needs review over 2 years ago2:18am 23 January 2023
Comment over 2 years ago →
🇧🇷Brazil diegors Campinas - Brazil
Add a return checkProtectedPage() method and send a HTTP_NO_CONTENT in response fixed the problem, please review.
Comment about 2 years ago →
skversa
Thanks for the update, any news on having this merged in please?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024