Group Name Guessing Disclosure Policy

Gervase Markham gerv at mozilla.org
Tue Jul 20 00:21:52 UTC 2010


On 19/07/10 14:38, Max Kanat-Alexander wrote:
> 	This is OK when the only interface for adding groups is the web UI,
> because you can't typo a group name or id--they're checkboxes! :-) So
> anybody mis-adding or removing a group is hacking the URL, and we don't
> care so much. But with 4.0 comes Bug.update, and the ability to add or
> remove groups from bugs using the API! Also, I believe email_in.pl will
> support adding groups in 4.0, so there's another opportunity for typos.

If the API were to support group IDs rather than group names, would this 
problem be mitigated?

Gerv

_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla



More information about the developers mailing list