tarcieri
commented
2 years ago Please email me at bascule@gmail.com to follow up.
A SECURITY.md is a good idea as well.
Open JamieSlome opened 2 years ago
tarcieri
commented
2 years ago Please email me at bascule@gmail.com to follow up.
A SECURITY.md is a good idea as well.
JamieSlome
commented
2 years ago @tarcieri - thanks for the response!
If you prefer, you can view the report directly here:
https://huntr.dev/bounties/2282338f-f8f6-436c-92c7-fab8da8ff3ab/
It is private and only accessible to maintainers with repository write permissions 🤝
tarcieri
commented
2 years ago Can you go ahead and open a public issue for this?
Since it relies on a trusted site redirecting to a potentially malicious site, it doesn't seem particularly exploitable to me.
cc @ranjit-git
tarcieri
commented
2 years ago I also thought we were relying on HTTP::CookieJar's scoping rules... curious if it's actually an upstream bug in that? https://github.com/httprb/http/pull/613/files
Also related: #631
ixti
commented
2 years ago I'll take a look this weekend.
tarcieri
commented
11 months ago Whatever behavior might be incorrect here was probably implemented in #613
Hey there!
I belong to an open source security research community, and a member (@ranjit-git) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)