[cosmo-dev] 0.10 security bug discovered (and fixed)
Mikeal Rogers
mikeal at osafoundation.org
Wed Dec 5 18:04:35 PST 2007
Yeah, this bad.
I'll add an automated test for this so it won't slip through again.
Ted said that there were only 2 bugs left in 0.11, if those are done
by EOD tomorrow we should just stick this fix in 0.11 and not bother
with an 0.10.1.
I imagine you have a fix for this already. Can we patch hub tonight?
-Mikeal
On Dec 5, 2007, at December 5, 20075:52 PM, Brian Moseley wrote:
> this evening I discovered a security bug in 0.10 whereby user A can
> PUT, MKCOL and MKCALENDAR resources directly within user B's home
> collection. I found this bug because there is a resource within my Hub
> home collection that I did not create. it appears that a user
> configured his iCal to publish a webcal calendar into my home
> collection (whose URL was given as an example in the iCal client setup
> instructions).
>
> i've logged bug 11587 at
> https://bugzilla.osafoundation.org/show_bug.cgi?id=11587>. i've
> checked in a fix on the 0.10 branch and am about to merge it to the
> trunk.
>
> the bug has existed since r5855, which occurred on the trunk during
> 0.10 development. it is not present in 0.9.1 or earlier versions.
>
> while fixing that bug, i also discovered bug 11588, in which Cosmo
> returns a 500 response to GET on a 0-length resource. the fix for this
> bug is quite tiny, so I checked it into the 0.10 branch as well (and
> will be merging it to the trunk shortly).
>
> neither of these bugs is targeted. i recommend a 0.10.1 release asap.
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
More information about the cosmo-dev
mailing list