search

boostorg / website-v2

New Boost website
https://boost.io
Boost Software License 1.0
9 stars 10 forks source link

Version cookie pollution #1168

Closed joaquintides closed 1 month ago

joaquintides commented 1 month ago

Suppose a user has their version cookie set to 1.85, so the URL

https://www.boost.io/releases/

gets resolved to

https://www.boost.io/releases/boost-1-85-0/

as it should be. Now, if the user manually inserts something like this on their URL bar:

https://www.boost.io/releases/whatever

The site returns a 404 (ok) but then clicking on "Releases" or "Libraries" fails with 404 or 500 because the version cookie has been changed to "whatever".

In short, the version cookie must be validated before its value is changed.

kennethreitz commented 1 month ago

will look into this, thanks

joaquintides commented 1 month ago

Confirmed in staging.