JSON-RPC GET User.login security

Michael Thomas mockodin at gmail.com
Wed Nov 10 00:21:20 UTC 2010


Deny both imo. Nothing beats a password in clear text in the apache
access log for high level security... er.

On Tue, Nov 9, 2010 at 4:16 PM, Max Kanat-Alexander <mkanat at bugzilla.org> wrote:
>        Hey there. Right now, we deny calling the "User.login" method when
> using the GET method for JSON-RPC calls. Is there actually any good
> security-based reason to do so?
>
>        We *allow* using the Bugzilla_login and Bugzilla_password arguments,
> but not calling User.login. It seems to me that either we should allow
> both or deny both.
>
>        Any input?
>
>        -Max
> --
> http://www.everythingsolved.com/
> Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=mockodin@gmail.com>
>



More information about the developers mailing list