Message6402
The REST code generates an etag as an md5 hash of a representation of
item properties.
That includes properties to which the user does not have access.
Depending on the schema, that means it could be used as an oracle to
test guesses for values of such properties by generating hashes with
guessed values for those properties inserted and seeing if those match
the provided etag.
This could be addressed by using HMAC with a per-instance random secret
key, instead of a simple hash function, or by storing a random etag in
the database for each item (generated automatically like the 'activity'
property) so it's not related to item properties at all, just changes to
a new random value whenever any other change is made.
See mailing list discussion:
https://sourceforge.net/p/roundup/mailman/message/36615272/ |
|
Date |
User |
Action |
Args |
2019-03-19 00:22:46 | joseph_myers | set | recipients:
+ joseph_myers |
2019-03-19 00:22:46 | joseph_myers | set | messageid: <1552954966.0.0.579971885284.issue2551033@roundup.psfhosted.org> |
2019-03-19 00:22:45 | joseph_myers | link | issue2551033 messages |
2019-03-19 00:22:45 | joseph_myers | create | |
|