incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brendan O'Connor <ussj...@ussjoin.com>
Subject Re: [PATCH] Activation Security Hole
Date Fri, 26 Jan 2007 09:11:42 GMT
David,

I added a few more comments and corrected a few typos; I then tested and 
confirmed all the different paths for activation/non-activation.

Here's the third version of the patch.

---Brendan O'Connor

Recordon, David wrote:
> Thanks for the patch!
> 
> Updated patch back at ya which:
>  - Streamlines code/style
>  - Handles case where the activation code is invalid
>  - Comments what is going on
> 
> Please review/test again and then I'll commit.
> 
> --David 
> 
> -----Original Message-----
> From: Brendan O'Connor [mailto:apache@ussjoin.com] 
> Sent: Thursday, January 25, 2007 4:49 PM
> To: heraldry-dev@incubator.apache.org
> Subject: [PATCH] Activation Security Hole
> 
> Hello. My name is Brendan O'Connor; I'm a graduate student in Computer
> Science at The Johns Hopkins University. I am submitting a patch for the
> Heraldry PIP.
> 
> The bug/threat model that this patch addresses is as follows:
> 
> Alice creates a new account. PIP automatically sends an e-mail to Alice,
> with an account verification link. Oscar somehow gets access to the
> verification link, clicks it, then logs in with Oscar's credentials. Now
> Oscar is logged in, as Alice. The system believes Alice logged in, and
> presents Oscar with Alice's account page, as well as verifying Alice's
> e-mail address.
> 
> I have changed the code so as not to allow Oscar to log in during the
> verification process; the following error message will be displayed.
> "You are not the account holder to whom the verification e-mail was
> sent.  You cannot login at this time."
> 
> I am attaching the patch to account_controller.rb.
> 
> Thanks very much for your attention; please feel free to reply to me
> with any questions or concerns.
> 
> ---Brendan O'Connor

Mime
View raw message