You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't want to file an erratum but just mention it here. Maybe you want to incorporate this idea into the security considerations.
Often backends have the full data set but restrict writing certain items, so that replaceing a value would not be possible.
But testing for a value would be possible.
Imagine the data structure has some plaintext secrets like {"password: "foobar", …},
then a {"op": "test", "path": "/password", "value": "foobar"} would successfully reveal a matching password, if no restrictions exists for allowed-to-read keys.
The text was updated successfully, but these errors were encountered:
I don't want to file an erratum but just mention it here. Maybe you want to incorporate this idea into the security considerations.
Often backends have the full data set but restrict writing certain items, so that
replace
ing a value would not be possible.But
test
ing for a value would be possible.Imagine the data structure has some plaintext secrets like
{"password: "foobar", …}
,then a
{"op": "test", "path": "/password", "value": "foobar"}
would successfully reveal a matching password, if no restrictions exists for allowed-to-read keys.The text was updated successfully, but these errors were encountered: