Information disclosure vulnerability
Closed this issue · 3 comments
If the user provided doesn't exist the bundle displays a message advertising that the given user doesn't exists in the system so it is an information disclosure vulnerability
Hi @farconada,
thanks for getting in touch! I've now added in a verbose parameter on the listener, which by default hides all authentication exception messages in the response body. These messages might be useful for debugging purposes, so it's good to have it easily configurable...
Hope this helps - do let me know if you have any other questions or remarks!
Kind regards,
David
lot of thanks for being so fast and
responsive. I'm considering your bundle to develop my REST API, so we will
be in touch
all the best
2013/2/11 David Joos notifications@github.com
Hi @farconada https://github.com/farconada,
thanks for getting in touch! I've now added in a verbose parameter on the
listener, which by default hides all authentication exception messages in
the response body. These messages might be useful for debugging purposes,
so it's good to have it easily configurable...Hope this helps - do let me know if you have any other questions or
remarks!Kind regards,
David—
Reply to this email directly or view it on GitHubhttps://github.com//issues/13#issuecomment-13375648..
Manten el correo limpio: no mandes basura ni mails encadenados. Todos los
correos con adjuntos en formato propietario iran directamente a la basura
sin leer
Hi,
you're welcome, thanks for your feedback!
Sounds great, don't hesitate to get in touch if you have any comments or remarks...
Kind regards,
David