Roundup Tracker - Issues

Message4452

Author schlatterbeck
Recipients rouilj, schlatterbeck
Date 2011-10-19.06:36:56
Message-id <20111019063653.GB19075@runtux.com>
In-reply-to <1318969746.57.0.242182944847.issue2550731@psf.upfronthosting.co.za>
On Tue, Oct 18, 2011 at 08:29:06PM +0000, John Rouillard wrote:
> > I've also made an auditor that tests if someone attaches
> > an already existing message to an issue (e.g. via XMLRPC
> > or a crafted web-request) to get read-access to the
> > message.
> 
> In my case I only allow adding a message to the issue's
> messages multilink to be done by the owner of the message
> being added. So if the user didn't originate the message,
> s/he can't add it to any other issue.

Same here, seems we have invented the same wheel independently :-)

> > But I failed to notice how easy it would be to forge
> > emails ...
> 
> Yup. It's a pretty big hole unfortunately. It can be mitigated
> somewhat by forcing all changes to be sent to the nosy list (otherwise
> a message with no body will result in an invisible change except in
> the history of the issue).

Yes we have that and since this is a corporate setting where most people
working on an issue know each other it would be noticed with high
probability.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
osAlliance member                       email: rsc@osalliance.com
History
Date User Action Args
2011-10-19 06:36:57schlatterbecksetrecipients: + schlatterbeck, rouilj
2011-10-19 06:36:57schlatterbecklinkissue2550731 messages
2011-10-19 06:36:56schlatterbeckcreate