diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-08-13 07:36:42 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-08-14 01:31:32 +0200 |
| commit | 8313a3fcb3b24bf9e36f48581f64336623ae1ead (patch) | |
| tree | 5f5f665dca0cd395a6706389c5e2e1f11b95380d /tests/lib/appframework/controller/ControllerTest.php | |
| parent | 1f96fb3352ad43155586d6deae95bf889768ba05 (diff) | |
| download | nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.tar.gz nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.zip | |
Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
Diffstat (limited to 'tests/lib/appframework/controller/ControllerTest.php')
| -rw-r--r-- | tests/lib/appframework/controller/ControllerTest.php | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/lib/appframework/controller/ControllerTest.php b/tests/lib/appframework/controller/ControllerTest.php index 0d7716da411..243014a91a7 100644 --- a/tests/lib/appframework/controller/ControllerTest.php +++ b/tests/lib/appframework/controller/ControllerTest.php @@ -76,6 +76,7 @@ class ControllerTest extends \Test\TestCase { 'method' => 'hi', ], $this->getMock('\OCP\Security\ISecureRandom'), + $this->getMock('\OCP\Security\ICrypto'), $this->getMock('\OCP\IConfig') ); |