css url signing does not protect all arguments

Xon

Well-known member
Affected version
2.2.15
XF url signs the autogenerated css.php links, however only covers the css argument and not the language/style/last modified arguments. It is also optional, so it can be completely trimmed off.

If url signing is going to be used it should cover all the style related arguments, and likely not be optional in non-debug mode.
 
Back
Top Bottom