Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Make sure teachers can't upload videos into arbitrary series in single-upload" #364

Closed
wants to merge 1 commit into from
Closed

Revert "Make sure teachers can't upload videos into arbitrary series in single-upload" #364

wants to merge 1 commit into from

Conversation

ferishili
Copy link
Contributor

Reverts #363

@NinaHerrmann
Copy link
Contributor

Why do you think this should be reverted? I won't be available for a meeting today, we can appoint one tomorrow if you think it is not explainable in text.

@ferishili
Copy link
Contributor Author

ferishili commented Mar 18, 2024
edited
Loading

For the reason I mentioned in that belated review:
The fix has no use to the security issue, because if you pass arbitrary series:

  • by query param: it will never reach to the point that you can select it or put it in the form to submit.
  • If one can submit anything to the addvideo i.e. arbitrary series id via POST maliciously: then the provided fix to give null value to $series does NOT have any effect!

I can explain it in more details in a live meeting and go through the process step by step

@ferishili ferishili mentioned this pull request Mar 18, 2024
Merged
@ferishili ferishili closed this Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ferishili @NinaHerrmann