The Omni Group Forums

The Omni Group Forums (http://forums.omnigroup.com/index.php)
-   OmniFocus Syncing (http://forums.omnigroup.com/forumdisplay.php?f=50)
-   -   security hole in latest Sneaky Peek (7/20) (http://forums.omnigroup.com/showthread.php?t=8891)

swhobbit 2008-07-20 05:14 PM

security hole in latest Sneaky Peek (7/20)
 
[QUOTE]When a secure WebDAV server returns Bad Gateway (502) in response to a MOVE operation, OmniFocus now retries its request using an http destination URL. This works around a WebDAV implementation bug on some servers (such as BingoDisk) which don't correctly handle https destination URLs.[/QUOTE]

This change needs to be reverted ASAP, OF is opening users up to stolen passwords, man in the middle attacks, and goodness knows what else. NEVER silently revert an HTTPS connection to HTTP!

Make the WevDAV vendor fix their software instead.

Tim Wood 2008-07-20 11:02 PM

I've updated the release notes to be more clear on this issue.

We aren't switching protocols; https is still being used.

Rather, the WebDAV spec requires a Destination header that determines the, well, destination of the MOVE command. The server in question gets confused when using https and thinks we are trying to move the resource between servers. Passing a http:// URL as the value of the Destination header, within the https session, works around its confusion.

That said, yes, we do want to contact the server to fix their bogus implementation, but as far as we know there are no security problems with this fallback.

swhobbit 2008-07-21 06:24 AM

OH. Bizarre. And not screamingly frightening like I originally thought, agreed.


All times are GMT -8. The time now is 01:26 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.