Group Name Guessing Disclosure Policy
Gervase Markham
gerv at mozilla.org
Tue Jul 20 00:21:52 UTC 2010
On 19/07/10 14:38, Max Kanat-Alexander wrote:
> This is OK when the only interface for adding groups is the web UI,
> because you can't typo a group name or id--they're checkboxes! :-) So
> anybody mis-adding or removing a group is hacking the URL, and we don't
> care so much. But with 4.0 comes Bug.update, and the ability to add or
> remove groups from bugs using the API! Also, I believe email_in.pl will
> support adding groups in 4.0, so there's another opportunity for typos.
If the API were to support group IDs rather than group names, would this
problem be mitigated?
Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list