incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Recordon, David" <drecor...@verisign.com>
Subject RE: [PATCH] Activation Security Hole
Date Fri, 26 Jan 2007 09:28:09 GMT
Thanks, looks good to me.

--David 

-----Original Message-----
From: Brendan O'Connor [mailto:ussjoin@ussjoin.com] 
Sent: Friday, January 26, 2007 1:12 AM
To: heraldry-dev@incubator.apache.org
Subject: Re: [PATCH] Activation Security Hole

David,

I added a few more comments and corrected a few typos; I then tested and
confirmed all the different paths for activation/non-activation.

Here's the third version of the patch.

---Brendan O'Connor

Recordon, David wrote:
> Thanks for the patch!
> 
> Updated patch back at ya which:
>  - Streamlines code/style
>  - Handles case where the activation code is invalid
>  - Comments what is going on
> 
> Please review/test again and then I'll commit.
> 
> --David
> 
> -----Original Message-----
> From: Brendan O'Connor [mailto:apache@ussjoin.com]
> Sent: Thursday, January 25, 2007 4:49 PM
> To: heraldry-dev@incubator.apache.org
> Subject: [PATCH] Activation Security Hole
> 
> Hello. My name is Brendan O'Connor; I'm a graduate student in Computer

> Science at The Johns Hopkins University. I am submitting a patch for 
> the Heraldry PIP.
> 
> The bug/threat model that this patch addresses is as follows:
> 
> Alice creates a new account. PIP automatically sends an e-mail to 
> Alice, with an account verification link. Oscar somehow gets access to

> the verification link, clicks it, then logs in with Oscar's 
> credentials. Now Oscar is logged in, as Alice. The system believes 
> Alice logged in, and presents Oscar with Alice's account page, as well

> as verifying Alice's e-mail address.
> 
> I have changed the code so as not to allow Oscar to log in during the 
> verification process; the following error message will be displayed.
> "You are not the account holder to whom the verification e-mail was 
> sent.  You cannot login at this time."
> 
> I am attaching the patch to account_controller.rb.
> 
> Thanks very much for your attention; please feel free to reply to me 
> with any questions or concerns.
> 
> ---Brendan O'Connor

Mime
View raw message