mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-08 08:40:19 +00:00
03799f8e4a
Opus independent security review concurred SAFE and surfaced 2 LOW defense-in-depth items, both applied: (1) verify_profile_cookie_value now validates the profile name against _PROFILE_ID_RE itself (not only in get_profile_cookie) so a future second caller can't return an unvalidated name; (2) build_profile_cookie raises when auth is enabled and no handler is passed, so a future call site can't silently emit an unsigned (session-unbound) profile cookie. +3 regression tests.