Skip to content

Commit

Permalink
Remove slug from the "package not found" error message.
Browse files Browse the repository at this point in the history
A user reported that the slug could be used for content injection attacks. While it's impossible to inject HTML/CSS/JS code, even plain text can  theoretically be abused for social engineering purposes. 

I'd like to allow relatively free-form slugs (basically, any valid file name can be a slug), so there doesn't seem to be a way to eliminate this kind of risk other than just not showing the slug.
  • Loading branch information
YahnisElsts committed May 23, 2017
1 parent 395955f commit 7a74538
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion includes/Wpup/UpdateServer.php
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ protected function validateRequest($request) {
$this->exitWithError('You must specify a package slug.', 400);
}
if ( $request->package === null ) {
$this->exitWithError(sprintf('Package "%s" not found', htmlentities($request->slug)), 404);
$this->exitWithError('Package not found', 404);
}
}

Expand Down

0 comments on commit 7a74538

Please sign in to comment.