Add mitigation against BREACH - nextcloud-server.git - Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server

index : nextcloud-server.git

Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server

www-data

about summary refs log tree commit diff stats

path: root/apps/files/js/filelist.js

diff options

author	Lukas Reschke <lukas@owncloud.com>	2015-08-13 07:36:42 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2015-08-14 01:31:32 +0200
commit	8313a3fcb3b24bf9e36f48581f64336623ae1ead (patch)
tree	5f5f665dca0cd395a6706389c5e2e1f11b95380d /apps/files/js/filelist.js
parent	1f96fb3352ad43155586d6deae95bf889768ba05 (diff)
download	nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.tar.gz nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.zip

Add mitigation against BREACH

While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.

Diffstat (limited to 'apps/files/js/filelist.js')

0 files changed, 0 insertions, 0 deletions