Default installation leaks shariff.json with Facebook App secret

heiseonline / shariff-backend-php

👮 PHP backend for Shariff. Shariff enables website users to share their favorite content without compromising their privacy.

http://ct.de/-2467514

134 stars 44 forks source link

Default installation leaks shariff.json with Facebook App secret #106

Closed cmaas closed 8 years ago

cmaas commented 8 years ago

If you follow the installation instructions, shariff.json will be accessible by entering the URL in the browser, e. g. http://example.com/shariff-backend-php/shariff.json. This exposes the Facebook App secret if one was entered.

Fix: Bring awareness to this issue and give clear instructions on how to make shariff.json not readable.

liayn commented 8 years ago

next release will not contain a Json anymore. See pending PR. I migrated that to a plain PHP array.

liayn commented 8 years ago

Oh PR #104 just got merged. So, done.

compeak commented 8 years ago

Fixed in 6.0.0. Please feel free to reopen this issue if you have further questions.