Message5688
On Wed, Jun 29, 2016 at 10:47:41PM +0000, John Rouillard wrote:
>
> Hi Ralf:
>
> I am considering committing this change. Bern was uncertain
> about the security implications of adding:
>
> p = db.security.addPermission(name='Search', klass='user')
> db.security.addPermissionToRole ('Anonymous', p)
>
> to schemas to allow the "Unassigned Tickets" link to be
> useful to the anonymous user.
>
> I suppose this is a way of doing a username guessing attack against
> a roundup install. Submit a search url to the tracker with a username
> to see if you get any hits. But I am not sure that is a problem.
>
> As anon you can see who a ticket is assigned to and the nosy list
> usernames so ....
Yes that would be the implication. But since usernames are shown to
anonymous anyway I also don't see this as an additional problem.
Maybe mention this in the upgrading docs that this should be removed for
people running trackers *without* read access for anonymous?
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office@runtux.com |
|
Date |
User |
Action |
Args |
2016-06-30 09:31:00 | schlatterbeck | set | recipients:
+ schlatterbeck, ber, rouilj, smcgraw |
2016-06-30 09:31:00 | schlatterbeck | link | issue2550855 messages |
2016-06-30 09:30:59 | schlatterbeck | create | |
|