Opened 13 years ago

Closed 13 years ago

#205 closed defect (duplicate)

Full local(!) path of a public file is shown on both user page and public traces page

Reported by: miki Owned by: steve@…
Priority: major Milestone:
Component: website Version:
Keywords: security local path Cc:

Description

cut from my public user page after adding a file:

<local full path deleted>\apotek2.gpx ... (0 points) ... 0 hours ago PENDING
second part of apotek, torvegade, kongensgade, havnegade, englandsgade, borgergade, jyllandsgade, havnegade, strandbygade, skolegade, stormgade, nørregade, jernbanegade, nørrebrogade, strandbykirkevej, langelandsvej, østergade, jagtvej, storegade, wessel
by miki in: esbjerg denmark danmark

After adding a new public file it's full local path on my machine is shown on my public gps trace page (http://www.openstreetmap.org/traces/user/miki). This is probably only during the pending period as my other completed traces only show their file name.

I consider it a security issue as it could, as in my case, reveal local servername and network drive shares.

Mikkel

Change History (3)

comment:1 Changed 13 years ago by miki

Summary: Full local(!) path of a public pending file is shown on user pageFull local(!) path of a public file is shown on both user page and public traces page

Okay, my trace is not pending anymore, but still full path is shown. This must be the result of a really fresh change as it is also an issue on the Public GPS trace page (http://www.openstreetmap.org/traces) for the two most recent traces...

Mikkel

comment:2 Changed 13 years ago by steve@…

Status: newassigned

I think this is a dupe of another bug... but anyway it's because you're using IE, I think. Try uploading in firefox as a stop gap solution.

comment:3 Changed 13 years ago by miki

Resolution: duplicate
Status: assignedclosed

oh, sorry, dupe of #66 ;)

Seems plausible, I've uploaded my other traces using Firefox and Konqueror, but unfortunately I'm stuck to IE at work.

A bit strange that only 8 of the 200 most recent traces was uploaded using IE, is this consistent with browser stats? Or maybe there are other prerequisites for this bug?

Where should I look to try to fix this? I would also like to hack at the editor applet at some point when I've become more familiar with this new playground :)

Mikkel

Note: See TracTickets for help on using tickets.