Project

General

Profile

Bug #41

Potential Privacy/Security Issue

Added by Viktor Szépe over 5 years ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
2.00 h

Description

as I see you are using timestamp+IP for the hidden input element
myElement.value = '1370701133 80.98.70.185';
it is not cache-friendly: the first generated page, so the first visitors data remains in the page cache

please use another technique to be cache-friendly, or disable this check on caching (you can "ask" WP about it)

WP support page:
http://wordpress.org/support/topic/bad-behavior-causing-potential-privacysecurity-issue

History

#1 Updated by Michael Hampton over 5 years ago

  • Assignee set to Michael Hampton

This code is useless and destructive in an environment where the cache is external, i.e. nginx or varnish front end caching. It also doesn't provide us much benefit as we already have other ways to do the same check. It will be removed shortly.

#3 Updated by Michael Hampton over 5 years ago

Oh. Hyper Cache does 404 caching (which is generally a bad idea without very careful tuning). That's why this is an issue for you. I don't recommend Hyper Cache :) Anyway, this will be removed from Bad Behavior.

#4 Updated by Viktor Szépe over 5 years ago

I mean basicly everyone sees the data (IP, timestamp) of the one who triggered caching. I personally turn off 404 caching in Hypercache:
http://snag.gy/3t5GP.jpg

#5 Updated by Michael Hampton over 3 years ago

  • Start date deleted (06/08/2013)
  • Status changed from New to Accepted

#6 Updated by Michael Hampton 2 months ago

  • Target version changed from 3.0 to 2.2.21

Fixed in r1905739.

This will be fixed in the next release of Bad Behavior.

This feature has been removed.

#7 Updated by Michael Hampton 2 months ago

  • Status changed from Accepted to Resolved

Also available in: Atom PDF