Eric Le Lay

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

according to your report HTTP is 200 with modified or unmodified account id, but json is status: "ok" with unmodified and "error" with modified account id. So it doesn't look like the changed account id was accepted. Again, it has nothing to do with jEdit. I'm closing the ticket now.

I see you already created https://sourceforge.net/p/forge/site-support/27035/

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

please clarify exactly how in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.

Found Vulnerability:- IDOR (Insecure Direct Object Reference)

please clarify exactly how in step 6. it is a vulnerability since the response is an error. Anyway, please send the report to sourceforge.net, because on jedit.org it is just an image and a plain link to https://www.sourceforge.net/projects/jedit/.

This is because File.delete() doesn't throw an exception when the file doesn't exist, while Files.delete(path) does. I guess this is the reason why you chose to use Files.delete, given the commit message, but the issue is that you didn't add code to handle the NoSuchFileException. Please revert or fix the code. Adding a debug message, here is an example of the problem: fromCanonPath == "/tmp/#xxxxxe#save#" and toCanonPath == "/tmp/xxxxxe"