Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 15:30:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Updated Security Disclosure (markdown)

Lauri Ojansivu 2018-03-10 02:31:49 +02:00
parent 27bafaa00d
commit 2bbeafb83a
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Security-Disclosure.md

@ -36,7 +36,7 @@ There is only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.
Standalone Wekan includes all non-Sandstorm platforms. Some Standalone Wekan platforms like Snap and Docker have their own specific sandboxing etc features.
Wekan uses xss package for input fields like cards, as you can see from [package.json](https://github.com/wekan/wekan/blob/devel/package.json). Forms can include markdown links, html, image tags etc like you see at https://wekan.github.io . It's possible to add attachments to cards, and markdown/html links to files.
Wekan uses xss package for input fields like cards, as you can see from [package.json](https://github.com/wekan/wekan/blob/devel/package.json). Other used versions can be seen from [Meteor versions file](https://github.com/wekan/wekan/blob/devel/.meteor/versions). Forms can include markdown links, html, image tags etc like you see at https://wekan.github.io . It's possible to add attachments to cards, and markdown/html links to files.
Wekan attachments are not accessible without logging in. Import from Trello works by copying Trello export JSON to Wekan Trello import page, and in Trello JSON file there is direct links to all publicly accessible Trello attachment files, that Standalone Wekan downloads directly to Wekan MongoDB database in [CollectionFS](https://github.com/wekan/wekan/pull/875) format. When Wekan board is exported in Wekan JSON format, all board attachments are included in Wekan JSON file as base64 encoded text. That Wekan JSON format file can be imported to Sandstorm Wekan with all the attachments, when we get latest Wekan version working on Sandstorm. In Sandstorm it's not possible yet to import from Trello with attachments, because Wekan does not implement Sandstorm-compatible access to outside of Wekan grain.
@ -66,7 +66,7 @@ Any typical web security bugs. If any of the previously mentioned is somehow pro
Typical already known or "no impact" bugs such as:
- Brute force password guessing
- Security issues related to that Wekan uses Meteor 1.6.0.1 related packages, and upgrading to newer Meteor 1.6.1 is complicated process that requires lots of changes to many dependency packages. Upgrading [has been tried many times, spending a lot of time](https://github.com/meteor/meteor/issues/9609) but there still is issues.
- Security issues related to that Wekan uses Meteor 1.6.0.1 related packages, and upgrading to newer Meteor 1.6.1 is complicated process that requires lots of changes to many dependency packages. Upgrading [has been tried many times, spending a lot of time](https://github.com/meteor/meteor/issues/9609) but there still is issues. Helping with package upgrades is very welcome.
- [Wekan API old tokens not replaced correctly](https://github.com/wekan/wekan/issues/1437)
- Missing Cookie flags on non-session cookies or 3rd party cookies
- Logout CSRF