incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Recordon, David" <drecor...@verisign.com>
Subject RE: [PATCH] Activation Security Hole
Date Fri, 26 Jan 2007 06:20:26 GMT
Hmm, seems my message was missing a patch.  Trying both .patch and .txt
to see what was going on.

--David

-----Original Message-----
From: Recordon, David [mailto:drecordon@verisign.com] 
Sent: Thursday, January 25, 2007 10:14 PM
To: heraldry-dev@incubator.apache.org
Subject: RE: [PATCH] Activation Security Hole

Thanks for the patch!

Updated patch back at ya which:
 - Streamlines code/style
 - Handles case where the activation code is invalid
 - Comments what is going on

Please review/test again and then I'll commit.

--David 

-----Original Message-----
From: Brendan O'Connor [mailto:apache@ussjoin.com]
Sent: Thursday, January 25, 2007 4:49 PM
To: heraldry-dev@incubator.apache.org
Subject: [PATCH] Activation Security Hole

Hello. My name is Brendan O'Connor; I'm a graduate student in Computer
Science at The Johns Hopkins University. I am submitting a patch for the
Heraldry PIP.

The bug/threat model that this patch addresses is as follows:

Alice creates a new account. PIP automatically sends an e-mail to Alice,
with an account verification link. Oscar somehow gets access to the
verification link, clicks it, then logs in with Oscar's credentials. Now
Oscar is logged in, as Alice. The system believes Alice logged in, and
presents Oscar with Alice's account page, as well as verifying Alice's
e-mail address.

I have changed the code so as not to allow Oscar to log in during the
verification process; the following error message will be displayed.
"You are not the account holder to whom the verification e-mail was
sent.  You cannot login at this time."

I am attaching the patch to account_controller.rb.

Thanks very much for your attention; please feel free to reply to me
with any questions or concerns.

---Brendan O'Connor

Mime
View raw message