JSON-RPC GET User.login security
Max Kanat-Alexander
mkanat at bugzilla.org
Wed Nov 10 00:16:41 UTC 2010
Hey there. Right now, we deny calling the "User.login" method when
using the GET method for JSON-RPC calls. Is there actually any good
security-based reason to do so?
We *allow* using the Bugzilla_login and Bugzilla_password arguments,
but not calling User.login. It seems to me that either we should allow
both or deny both.
Any input?
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list