Group Name Guessing Disclosure Policy
Mikhail Gusarov
dottedmag at dottedmag.net
Mon Jul 19 21:48:10 UTC 2010
Twas brillig at 14:38:24 19.07.2010 UTC-07 when mkanat at bugzilla.org did
gyre and gimble:
MK> This is OK when the only interface for adding groups is the web UI,
MK> because you can't typo a group name or id--they're checkboxes! :-)
MK> So anybody mis-adding or removing a group is hacking the URL, and
MK> we don't care so much. But with 4.0 comes Bug.update, and the
MK> ability to add or remove groups from bugs using the API! Also, I
MK> believe email_in.pl will support adding groups in 4.0, so there's
MK> another opportunity for typos.
I don't see why URL hacking is different from API hacking from the
security standpoint.
--
http://fossarchy.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20100720/64580874/attachment.sig>
More information about the developers
mailing list