Comments (11)
@zxc7528064 commenting again and again won't get you an answer any quicker. Either wait for an answer or as ryan suggested above write an email. Generally I'd suggest not having to much hope. I've never seen processwire interact with CVE nor is this considered a security issue as explained by ryan previously.
from processwire.
It's an error in terms of being unintended.
It's not a security issue though, as you need login credentials to get to that part of processwire. Authenticated users in processwire are trusted. A malicious user should not even get to login to the system in the first place.
At least you have to reply to respect
You're not entitled to anything here. This is a open source project. People invest whatever they think is right not what other people think may be right. Also ryan is one of those OSS maintainers, who's using GitHub only sparsely. I have PRs, which are open for years, which never did receive a response.
from processwire.
from processwire.
Thanks @zxc7528064, good find, I've pushed a fix for that to our dev branch. PW's admin is built specifically as a trusted user only environment, so if the goal is to insert markup of any kind like this, then there are several perhaps easier ways to do it from the admin. But those ways are expected and intended as part of the admin functions. And the one you pointed out here is not specifically intended, and worthwhile to fix, thanks for letting me know.
from processwire.
@ryancramerdesign Thank you for your attention to this security issue.
from processwire.
@ryancramerdesign Do you fix the Security issue ?
from processwire.
@zxc7528064 The bug was fixed a few weeks ago, 4-5 minor versions back on on our dev branch, and will migrate with many other updates to the master branch on the next major version. Taken in the context of this particular trusted user/admin environment, it does not open any new doors necessary for us to label it a security issue. But I appreciate the time you took to report, it's a good bug fix regardless. I don't actively monitor this part of GitHub, but feel free to email me if you have any questions or comments. Thanks.
from processwire.
@ryancramerdesign
Can I use the Security Issue to apply a CVE Number ? @@
from processwire.
@ryancramerdesign Do you receive my information ?
from processwire.
@LostKobrakai At least you have to reply to respect,If it’s not an error, then he shouldn’t fix it .
from processwire.
@LostKobrakai I mean at least to reply can I? If not, then I will not force it. This is the basic respect, and I am very grateful for your speech.
from processwire.
Related Issues (14)
- Different url-segment handling depending on the setting of $config->pageNameCharset HOT 2
- Using Custom Editor JS Styles Set causes js console error HOT 1
- Datepicker language changed and json not saved in database HOT 2
- Impossible to suppress language in editUrl for language-enabled sites?
- XXE Vulnerability HOT 18
- $session->forceLogin does not update $user variable HOT 3
- Error: Allowed memory size HOT 2
- Changing field type from TextareaLanguage to Textarea throw Notice. HOT 1
- $page->setAndSave does not work with array as parameter HOT 10
- Update Link To Reference The New Repository HOT 4
- Allow more options to override for Image field in contexts HOT 1
- READ THIS BEFORE SUBMITTING ISSUE REPORTS
- page-publish button does not disappear fully disappear. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from processwire.