[cosmo-dev] 0.10 security bug discovered (and fixed)
Brian Moseley
bcm at osafoundation.org
Wed Dec 5 17:52:46 PST 2007
this evening I discovered a security bug in 0.10 whereby user A can
PUT, MKCOL and MKCALENDAR resources directly within user B's home
collection. I found this bug because there is a resource within my Hub
home collection that I did not create. it appears that a user
configured his iCal to publish a webcal calendar into my home
collection (whose URL was given as an example in the iCal client setup
instructions).
i've logged bug 11587 at
https://bugzilla.osafoundation.org/show_bug.cgi?id=11587>. i've
checked in a fix on the 0.10 branch and am about to merge it to the
trunk.
the bug has existed since r5855, which occurred on the trunk during
0.10 development. it is not present in 0.9.1 or earlier versions.
while fixing that bug, i also discovered bug 11588, in which Cosmo
returns a 500 response to GET on a 0-length resource. the fix for this
bug is quite tiny, so I checked it into the 0.10 branch as well (and
will be merging it to the trunk shortly).
neither of these bugs is targeted. i recommend a 0.10.1 release asap.
More information about the cosmo-dev
mailing list