Group Name Guessing Disclosure Policy
Max Kanat-Alexander
mkanat at bugzilla.org
Mon Jul 19 21:38:24 UTC 2010
Hey folks. So, right now we have a policy that goes like this:
Group names are confidential. If somebody tries to guess a group name,
we don't want to tell them whether or not that group name exists,
because my guessing infinitely, they could discover confidential group
names. So, if somebody tries to add or remove a group to a bug that
doesn't exist, we fail silently.
This is OK when the only interface for adding groups is the web UI,
because you can't typo a group name or id--they're checkboxes! :-) So
anybody mis-adding or removing a group is hacking the URL, and we don't
care so much. But with 4.0 comes Bug.update, and the ability to add or
remove groups from bugs using the API! Also, I believe email_in.pl will
support adding groups in 4.0, so there's another opportunity for typos.
Bug security is really important--far more important than protecting
against guessing group names. Right now, according to our policy, if
somebody typos a group name (or specifies a group name that can't be
validly added to the bug), it will silently fail. This means that people
will have bugs that they intended to be secure that are actually public,
which is very bad.
Now, a simple solution sounds like, "Oh, so we should just tell people
that 'the group you specified either does not exist or you cannot see
its name'." However, there are two problems with that:
* There is actually no central way for being able to tell if somebody
"can see the name" of a group. There are so many possible ways that a
group's name could be seen (membership, othercontrol, permissions,
inheritance, admin interfaces, etc.) that it would be nearly impossible
to effectively write a single method that would tell us whether or not
somebody can see a group's name or not.
* The Group Controls are really complex. So if we have the same error
for "this group doesn't exist" and "this group can't validly be added or
removed from this product", then it will confuse the heck out of
everyday Bugzilla administrators.
So, I propose that we start explicitly telling people if a group
doesn't exist, and then we explicitly tell them if they are trying to do
something invalid with a group that *does* exist. This means that group
names would be exposed if somebody managed to guess one, but I think
that that is an acceptable fact, particularly if we relnote it for the
upcoming 4.0 release, highlighted as a security change.
Does this sound OK?
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list