|
|
|
|
|
|
by lelandbatey
1696 days ago
|
|
|
I was impatient to find the example you were talking about; as far as I can tell, this is the line with the example: https://gitlab.com/gitlab-org/gitlab/-/commit/3fb44197195b57... And here's what it looks like in various conditions/viewers: With the fix, this is how it looks in the browser in the Gitlab interface: if (accessLevel != "user�") {� // Check if admin ��
Without the fix, viewed raw (and thus viewed in a vulnerable way), it looks like this: if (accessLevel != "user") { // Check if admin
And in a hex viewer, it looks like this: 000005b0: 2020 2020 2020 2069 6620 2861 6363 6573 if (acces
000005c0: 734c 6576 656c 2021 3d20 2275 7365 72e2 sLevel != "user.
000005d0: 80ae 20e2 81a6 2f2f 2043 6865 636b 2069 .. ...// Check i
000005e0: 6620 6164 6d69 6ee2 81a9 20e2 81a6 2229 f admin... ...")
000005f0: 207b 0a20 2020 2020 2020 2020 2020 2020 {.
00000600: 2063 6f6e 736f 6c65 2e6c 6f67 2822 596f console.log("Yo
00000610: 7520 6172 6520 616e 2061 646d 696e 2e22 u are an admin."
|
|
|