In order for the fixes to work there are a couple of columns in the user table that needs to be added to the database:
alter table users add column last_login_attempt varchar(255);
alter table users add column login_fails int(1);
alter table users add column locked boolean;
- Info leakage
- Lock out mechanism (includes implementation of throttle protection)
- Weak password policy
- Debug mode enabled
- Stored xss
- Make github project
- Git workflow description
- Clickable links warning
- Bypassing authentication
- Escalating account privs
- Csrf
- Fix ShareLaTex project
- Session fixation
- Session timeout
- Weak hash
- File inclusion
- SQL injection
- Email verification
We will make branches for each of the vulnerabilities we are fixing. After cloning the repository, when we're about to start fixing an issue you make a new branch: git checkout -b info-leakage
, where info-leakage is the branch name that corresponds to Emil's first area of responsibility. Use dashes -
instead of spaces.
Do not merge your branch straight to master after you're done with a fix. Make a pull request, and have someone review, test and merge it to master.
Rebase master into your local branch if there has been changes to the master branch after you branched out from it: git rebase origin/master
. Do this before you make a pull request.
If you want to clean up your messy commit history before you do a pull request, have a look at interactive rebasing. This is not a must.