TracktionMarketplaceStatus, does it use GET or POST?


#1

Hi everyone,

when looking at the TracktionMarketplaceStatus class I saw that the username, password, … is simply added as a parameter to the URL in readReplyFromWebserver(). Then calling url.readEntireTextStream() seems to create a GET request to transmit the data to the server. But isn’t this a security risk because GET parameters may appear in the web server access logs? Or should the password be hashed before transmission? Or did I miss something?

Sebastian


#2

The parameters do still get encrypted if you’re doing a GET with HTTPS, but I agree POST would be a better choice for this!

Ed is refactoring some of that code right now anyway, so he’ll add a flag to let you choose the mode to use, but the main purpose of those unlocking classes is to let you build your own, where you’d be using your own webserver, and would probably not use this class directly.


#3

I will create my own class, but a less experienced programmer might create a serious security problem when using this code as a basis. It took me a few days to realize what side-effects may appear when the password is transmitted with GET, too.

The biggest problem is that the password will not only appear in the server log but also in the browser history of the client. Hence, everyone who can access the browser history obtains the full login credentials for the Tracktion Marketplace of the user.


#4

Well, it’s not going via a browser in this case so probably not a huge risk, but totally agreed, it should default to POST, and we’ll change that now.


#5

Ah yes of course, you are right, there is no browser in between. I was looking at it from the wrong perspective.


#6

Thanks, I’ve changed TracktionMarketplaceStatus::readReplyFromWebserver() to use a POST command but, like Jules said, if you’re rolling your own then it’s up to you to do this in your own implementation of readReplyFromWebserver().