Message4452
On Tue, Oct 18, 2011 at 08:29:06PM +0000, John Rouillard wrote:
> > I've also made an auditor that tests if someone attaches
> > an already existing message to an issue (e.g. via XMLRPC
> > or a crafted web-request) to get read-access to the
> > message.
>
> In my case I only allow adding a message to the issue's
> messages multilink to be done by the owner of the message
> being added. So if the user didn't originate the message,
> s/he can't add it to any other issue.
Same here, seems we have invented the same wheel independently :-)
> > But I failed to notice how easy it would be to forge
> > emails ...
>
> Yup. It's a pretty big hole unfortunately. It can be mitigated
> somewhat by forcing all changes to be sent to the nosy list (otherwise
> a message with no body will result in an invisible change except in
> the history of the issue).
Yes we have that and since this is a corporate setting where most people
working on an issue know each other it would be noticed with high
probability.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office@runtux.com
osAlliance member email: rsc@osalliance.com |
|
Date |
User |
Action |
Args |
2011-10-19 06:36:57 | schlatterbeck | set | recipients:
+ schlatterbeck, rouilj |
2011-10-19 06:36:57 | schlatterbeck | link | issue2550731 messages |
2011-10-19 06:36:56 | schlatterbeck | create | |
|