[rt-devel] Following links offsite
Bruce Campbell
bruce_campbell at ripe.net
Mon Jan 28 12:39:07 EST 2002
On Mon, 28 Jan 2002, Bruce Campbell wrote:
> If I remember, I'll knock up something to go in /NoAuth to do what is
> described in http://www.lboro.ac.uk/computing/providers/redirect.html .
Actually, thinking more about this, I'm thinking that its a security risk
to link directly from an RT system offsite. Eg, if I follow a link from a
displayed ticket (http://rt.example.com/Ticket/Display.html?id=349856), to
a remote website, that website has just received, via my browser's passing
of the HTTP_REFER field, the URL to my ticketing system, and the exact
ticket that I'm working on.
Ugh. Not a problem if the RT webserver is behind a firewall, but it is a
problem if its on a publically available webserver and you've got a
guessable password for people, or the authentication information for RT
has been passed on the URL.
I will knock something up for /NoAuth and do patches for the displaying of
tickets.
--
Bruce Campbell RIPE
Systems/Network Engineer NCC
www.ripe.net - PGP562C8B1B Operations
More information about the Rt-devel
mailing list