Group Name Guessing Disclosure Policy
Gervase Markham
gerv at mozilla.org
Wed Jul 21 17:16:43 UTC 2010
On 20/07/10 17:27, Max Kanat-Alexander wrote:
> We could, but that would add even *more* code complexity. Then we'd
> have to implement alternate code for both cases in every single place
> that we check the existence of a group in Bugzilla.
Surely just in the error messages? If group names are secret, we use
generic messages; if they are not, we use specific ones.
Or are there other areas of data leak?
Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list