incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Recordon, David" <>
Subject RE: [PATCH] Activation Security Hole
Date Fri, 26 Jan 2007 09:28:09 GMT
Thanks, looks good to me.


-----Original Message-----
From: Brendan O'Connor [] 
Sent: Friday, January 26, 2007 1:12 AM
Subject: Re: [PATCH] Activation Security Hole


I added a few more comments and corrected a few typos; I then tested and
confirmed all the different paths for activation/non-activation.

Here's the third version of the patch.

---Brendan O'Connor

Recordon, David wrote:
> Thanks for the patch!
> Updated patch back at ya which:
>  - Streamlines code/style
>  - Handles case where the activation code is invalid
>  - Comments what is going on
> Please review/test again and then I'll commit.
> --David
> -----Original Message-----
> From: Brendan O'Connor []
> Sent: Thursday, January 25, 2007 4:49 PM
> To:
> Subject: [PATCH] Activation Security Hole
> Hello. My name is Brendan O'Connor; I'm a graduate student in Computer

> Science at The Johns Hopkins University. I am submitting a patch for 
> the Heraldry PIP.
> The bug/threat model that this patch addresses is as follows:
> Alice creates a new account. PIP automatically sends an e-mail to 
> Alice, with an account verification link. Oscar somehow gets access to

> the verification link, clicks it, then logs in with Oscar's 
> credentials. Now Oscar is logged in, as Alice. The system believes 
> Alice logged in, and presents Oscar with Alice's account page, as well

> as verifying Alice's e-mail address.
> I have changed the code so as not to allow Oscar to log in during the 
> verification process; the following error message will be displayed.
> "You are not the account holder to whom the verification e-mail was 
> sent.  You cannot login at this time."
> I am attaching the patch to account_controller.rb.
> Thanks very much for your attention; please feel free to reply to me 
> with any questions or concerns.
> ---Brendan O'Connor

View raw message