esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ethan Jewett <esjew...@gmail.com>
Subject Re: [VOTE] Approve the release of apache-esme-incubating-1.0 - (Yes Again :->)
Date Sat, 20 Feb 2010 20:27:20 GMT
We can't do a release with "role.api_test=integration-admin" either,
so that has to go as well.

It is a huge security hole: No api_test user is delivered with the
software, so if someone unwittingly deploys with this setting, the
first user to create an account with the username "api_test" will have
the ability to add accounts and manage tokens for all users via the
API. In other words, they will be able to gain access any account via
the API.

Ethan

On Sat, Feb 20, 2010 at 2:07 PM, Sig Rinde <sig@rinde.com> wrote:
>> Maybe making this two-line change to one file is small enough that we
>> don't have to revote. I'm not sure. Maybe the mentors can weigh in.
>
> Two lines?
>
> I only changed "jdbc" to "filesystem" and it worked (for me)
>
> Anything I missed?
>
> S
>

Mime
View raw message