Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"this.publish" function in js/samplesviewer.js can overwrite server files #296

Open
euanong opened this issue Dec 19, 2016 · 1 comment
Open

"this.publish" function in js/samplesviewer.js can overwrite server files #296

euanong opened this issue Dec 19, 2016 · 1 comment
Labels
bug major
Milestone
GCI 2017

Comments

@euanong
Copy link
Member

euanong commented Dec 19, 2016
edited

When a user clicks the 'publish' button in the 'Planet' view there are no checks to see whether the project is already published - this slows the code down and also can overwrite entries already present on the server. Maybe a user could be forced to name their project with a name that has not already been used?

Identical issue to https://github.com/walterbender/musicblocks/issues/387
@euanong euanong mentioned this issue Dec 19, 2016
Closed
@tradzik
Copy link
Contributor

tradzik commented Dec 26, 2016
edited

The bug is even more serious. Anyone who knows the algorithm (API key, request schema are hard-coded) can possibly overwrite any file on the server (by-passing getPublishableName validation using external tools, like e.g. cURL).

@walterbender walterbender mentioned this issue Dec 27, 2016
Open
@walterbender walterbender added this to the GCI 2017 milestone Sep 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug major
Projects
None yet
Milestone
GCI 2017
Development

No branches or pull requests
3 participants
@tradzik @walterbender @euanong