Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Security - wiki sign up email confirmation uses http links #5464

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 2 comments
Closed

Security - wiki sign up email confirmation uses http links #5464

openstreetmap-trac opened this issue Jul 23, 2021 · 2 comments

Comments

@openstreetmap-trac
Copy link

Reporter: openstreetmap.org[at]shkspr.mobi
[Submitted to the original trac issue database at 7.29pm, Friday, 18th August 2017]

New user signs up to edit the wiki.

Confirmation email sent to their email address.

Email contains links to http://wiki.openstreetmap.org rather than the https version.

While I'm sure the website automatically redirects, a malicious MITM could redirect the user before that happens.

Hopefully a simple configuration change.

@openstreetmap-trac
Copy link
Author

Author: tacsipacsi
[Added to the original trac issue at 9.18am, Sunday, 31st December 2017]

The wiki does not redirect, at least not for watchlist notification emails. (Unless you check the appropriate option in your preferences, but a new user wont have that checked.) $wgServer should be changed from http://wiki.openstreetmap.org to https://wiki.openstreetmap.org in LocalSettings.php (I hope).

@openstreetmap-trac
Copy link
Author

Author: Tigerfell
[Added to the original trac issue at 9.15pm, Monday, 18th February 2019]

Thanks for the suggestion tacsipacsi. We did it slightly differently now.
Link to the change in our GitHub repo: openstreetmap/chef#219.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant