Details

      Description

      Trackback is secured by auth token, but is primarily shown using friendly url without token.

      The trackback functionality should be accessible by the Guest.

      How to reproduce:


      1, create blog entry with title asdasd, notice the trackback url: http://localhost:8080/web/guest/blog/-/blogs/trackback/asdasd
      2, use http://localhost:8080/web/guest/blog/-/blogs/trackback/asdasd?title=test&excerpt=test&url=127.0.0.1&blog_name=test to create the trackback
      OR
      2, create 2nd blog entry, into "Trackbacks to send" field fill the previous entry trackback URL

      Result: you'll get 403 forbidden status page or exception in the tomcat logs

      Fix:


      Add /blogs/trackback into auth.token.ignore.actions

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  7 years, 50 weeks, 1 day ago

                  Packages

                  Version Package
                  --Sprint 12/11
                  6.1.0 CE RC1