dgtlmoon
[feature] Hide version from login screen
On the login screen the currently running version of changedetection should be hidden. This could be used by potential attackers to see if a system is vulnerable.
the template needs something like
{% if not(has_password and not current_user.is_authenticated) %}
{{version}}
{% endif %}
OR make this NOT set the version var if the logic is 'has password set and not authenticated'
https://github.com/dgtlmoon/changedetection.io/blob/904ef84f8229a8ffec3307121146e0be0cf06438/changedetectionio/init.py#L157
but the problem is that __version__ is used as an arg on the CSS, so that it cache-busts for sure when you upgrade..
https://github.com/dgtlmoon/changedetection.io/blob/904ef84f8229a8ffec3307121146e0be0cf06438/changedetectionio/flask_app.py#L105
https://github.com/dgtlmoon/changedetection.io/blob/904ef84f8229a8ffec3307121146e0be0cf06438/changedetectionio/templates/base.html#L11
if someone wants to provide a PR, i'm happy to look into their PR
@dgtlmoon an you confirm that te version is identified by var right_sticky? (ref: https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/templates/base.html#L145C52-L145C64)
@dgtlmoon an you confirm that te version is identified by var
right_sticky? (ref: https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/templates/base.html#L145C52-L145C64)
no thats only the template output, the version is defined by my comment above
Yes, but the point here is to don't show the version on frontend, not to don't assign it to a variable (since could be useful later for other features).
So my idea is to apply only the first check you mentioned in the comment above.
Something like this in base.html:
{% if right_sticky %}
{% if not(has_password and not current_user.is_authenticated) %}
<div class="sticky-tab" id="right-sticky">{{ right_sticky }}</div>
{% endif %}
{% endif %}
could be okay? Am I missing something?
Why showing this at all on those pages with such a logic involved? Wouldn't it be better to show the version just in the settings? Would make life a lot easier :-)
but the problem is that version is used as an arg on the CSS, so that it cache-busts for sure when you upgrade..
I repeat, 3rd time :)
@dgtlmoon honestly I'm not an expert in frontend development. I'm for sure not the best person to address this issue. I was just trying to solve this problem. IMO this is a big problem for security and should be addressed asap.
Of course it's not a direct vuln per se, the problem is that e.g. someone finds a critical vuln in old versions. It would be so easy in this way to track all the publicly exposed vulnerable self-hosted instances.
The version should never be disclosed to unauthorized users (and of course it's not the best option to use that for cache-busting).
edoardo
@dgtlmoon honestly I'm not an expert in frontend development. I'm for sure not the best person to address this issue. I was just trying to solve this problem. IMO this is a big problem for security and should be addressed asap.
Of course it's not a direct vuln per se, the problem is that e.g. someone finds a critical vuln in old versions. It would be so easy in this way to track all the publicly exposed vulnerable self-hosted instances.
The version should never be disclosed to unauthorized users (and of course it's not the best option to use that for cache-busting).
edoardo
I believe this was already pointed out in the issue's opening comment
On the login screen the currently running version of changedetection should be hidden. This could be used by potential attackers to see if a system is vulnerable.
cache busting url could be checksum of last 10 chars of the app guid key plus the version