[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: MantisBT weakened CSP when using bundled Gravatar plugin
From:       Damien Regad <dregad () mantisbt ! org>
Date:       2016-08-30 23:45:15
Message-ID: nq55qe$v1e$1 () blaine ! gmane ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


On 2016-08-30 01:31, Reed Loden wrote:
> Any reason why you don't just always use the https:// version for Gravatar
> here? Why ever use http://? Even if the MantisBT install is on HTTP, best
> to always load any third-party resources over TLS to better protect against
> MITM.
> 
> Just surprised me to see this:
> https://github.com/mantisbt/mantisbt/blob/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229/plugins/Gravatar/Gravatar.php#L165-L169
> 

Hi Reed,

To be honest, I'm not quite sure, and never thought about it... I did
not author this code, which has been like this since before I even
joined the project [1]. The implementation of Gravatar as a plugin just
recycled the existing code.

IMO your suggestion to always use https makes sense, I'm cc'ing the
MantisBT dev list as this is probably better discussed there. You're
also welcome to open an issue in our tracker if you want.

Cheers
Damien

[1] https://mantisbt.org/bugs/view.php?id=8882
    https://github.com/mantisbt/mantisbt/commit/241f91d59


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]