meijer
commented
2 years ago Recommended to board to accept
Closed monkeyiq closed 2 years ago
meijer
commented
2 years ago Recommended to board to accept
meijer
commented
2 years ago Board accepted. Nils reports a typo in a variable, he'll send in a PR for that.
This was resolved with https://github.com/filesender/filesender/pull/1268
This requires a vid to be sent with guest requests and forces both roundtriptoken and owasp csrf to be on for guest interactions. This means that the vid would need to be known or guessed and that the two tokens would have to be leaked from an active browser session for possible attack. The roundtriptoken is unique for each new transfer created, the owasp csrf is a session based token.
This is described in detail in section 5.1.7 of the recent security audit.