Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Injectable, known token references #115

Closed
gocom opened this issue Oct 24, 2013 · 1 comment
Closed

Injectable, known token references #115

gocom opened this issue Oct 24, 2013 · 1 comment
Labels
Defect Fixed Merged into Core

Comments

@gocom
Copy link
Member

gocom commented Oct 24, 2013

Textile uses stored reference tokens to insert spans to the parsed document. This has some problems, in both security and usability. For one, if tokens are used, there needs to be;

  • address randomization; nobody must know the reference. If they do, they can fetch the reference from the cache themselves, bypassing any post-filtering that would normally occur.
  • the tokens must never appear in the document itself.

Basically, the document should be checked for the token prefix before its used. Textile isn't event/reference based so there is change of token appearing in the content if its not there before hand.

If the prefix is in the document, try generating a new one, until a free prefix is found.
gocom pushed a commit that referenced this issue Oct 24, 2013
Randomizes temporary reference token name.
4b0c406 
Closes issue #115
@gocom
Copy link
Member Author

gocom commented Oct 24, 2013

Oh, yeah, poop -- accidental 'issue' in commit message.

@gocom gocom closed this as completed Oct 24, 2013
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Defect Fixed Merged into Core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gocom