aldaris
commented
6 years ago Unfortunately this isn't really a fix. On 13.0.0 applying this patch was kind of okay, because there is a newer version fo selfservice since 13.0.0. In this version, there is only this version of the selfservice endpoints, hence creating a setting to enable/disable it feels inappropriate and doesn't actually protect from the underlying security issue.
Based on:
commit d5c30071dde7082146312ecbc62914d4d1df7532 Author: Ram Anaswara ram.anaswara@forgerock.com Date: Wed Jan 6 11:35:08 2016 +0000