View Issue Details

IDProjectCategoryView StatusLast Update
0026330mantisbtdocumentationpublic2019-11-06 03:30
Reporteranfrind Assigned To 
Status confirmedResolutionopen 
Summary0026330: Configuration option to disable RSS

For a user to subscribe to their personal RSS feed, their RSS reader must submit a GET request that includes their username and a unique key. This may be a security risk, as the username and key could be inadvertently saved to server logs, proxy logs, and if HTTPS is not used, they may be visible to network monitoring tools (e.g. Wireshark).

It would be nice if there were a configuration option to disable RSS entirely, thereby eliminating it as a potential attack vector.

TagsNo tags attached.




2019-11-06 03:29

developer   ~0063057

There is configuration option $g_rss_enabled for it

Like some more options, it's not docummented in Admin Guide.
Therefore it's recommend to check config_defaults_inc to get a list of all available options.

Issue History

Date Modified Username Field Change
2019-11-05 20:36 anfrind New Issue
2019-11-06 03:29 atrol Note Added: 0063057
2019-11-06 03:30 atrol Severity feature => minor
2019-11-06 03:30 atrol Status new => confirmed
2019-11-06 03:30 atrol Category rss => documentation