The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniFocus > OmniFocus Syncing
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
security hole in latest Sneaky Peek (7/20) Thread Tools Search this Thread Display Modes
Quote:
When a secure WebDAV server returns Bad Gateway (502) in response to a MOVE operation, OmniFocus now retries its request using an http destination URL. This works around a WebDAV implementation bug on some servers (such as BingoDisk) which don't correctly handle https destination URLs.
This change needs to be reverted ASAP, OF is opening users up to stolen passwords, man in the middle attacks, and goodness knows what else. NEVER silently revert an HTTPS connection to HTTP!

Make the WevDAV vendor fix their software instead.
 
I've updated the release notes to be more clear on this issue.

We aren't switching protocols; https is still being used.

Rather, the WebDAV spec requires a Destination header that determines the, well, destination of the MOVE command. The server in question gets confused when using https and thinks we are trying to move the resource between servers. Passing a http:// URL as the value of the Destination header, within the https session, works around its confusion.

That said, yes, we do want to contact the server to fix their bogus implementation, but as far as we know there are no security problems with this fallback.
__________________
CTO, The Omni Group
 
OH. Bizarre. And not screamingly frightening like I originally thought, agreed.
 
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
I want a v2.0 Sneaky Peek! sfkeydel OmniFocus 1 for Mac 0 2012-09-11 08:47 PM
BUG or FEATURE in latest 1.8 sneaky peek? macula OmniFocus 1 for Mac 11 2010-08-21 01:26 AM
New sneaky peek dougtoft OmniWeb General 1 2010-03-15 09:21 AM
New built in perspectives in latest sneaky peek ext555 OmniFocus 1 for Mac 11 2008-10-13 05:36 AM
Help - lost access to data with latest sneaky peek kocab OmniFocus 1 for Mac 1 2008-07-16 07:01 AM


All times are GMT -8. The time now is 03:08 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.