R1:66c648cc56be
R1:66c648cc56be
Fix a redirect-on-login issue by allowing logged-out users to view 404 pages
Summary:
See T2102 and inline for discussion. This seems like the least-bad approach until we have something better.
The utility of next_uri seems much greater than the minor exposure of routable URIs.
Note that attackers can //not// detect if routable URIs are //valid// (e.g., "/D999" will always hit the login page whether it exists or not), just that they're routable. So you can only really tell if apps are installed or not.
Summary:
See T2102 and inline for discussion. This seems like the least-bad approach until we have something better.
The utility of next_uri seems much greater than the minor exposure of routable URIs.
Note that attackers can //not// detect if routable URIs are //valid// (e.g., "/D999" will always hit the login page whether it exists or not), just that they're routable. So you can only really tell if apps are installed or not.
Repository: R1 hydra
Commit Date: Nov 21 2012