[cosmo-dev] 0.10 security bug discovered (and fixed)

Ted Leung twl at osafoundation.org
Wed Dec 5 18:26:52 PST 2007 

Even if we stick these in an EOD 0.11 tomorrow, we'd still need to  
qualify that 0.11 which seems like it would take more time than  
0.10.1.   I think the real question is how comfortable Jared Rhine  
feels with a hot update to hub asap.

Ted

On Dec 5, 2007, at 6:04 PM, Mikeal Rogers wrote:

> Yeah, this bad.
>
> I'll add an automated test for this so it won't slip through again.
>
> Ted said that there were only 2 bugs left in 0.11, if those are  
> done by EOD tomorrow we should just stick this fix in 0.11 and not  
> bother with an 0.10.1.
>
> I imagine you have a fix for this already. Can we patch hub tonight?
>
> -Mikeal
>
> On Dec 5, 2007, at December 5, 20075:52 PM, Brian Moseley wrote:
>
>> this evening I discovered a security bug in 0.10 whereby user A can
>> PUT, MKCOL and MKCALENDAR resources directly within user B's home
>> collection. I found this bug because there is a resource within my  
>> Hub
>> home collection that I did not create. it appears that a user
>> configured his iCal to publish a webcal calendar into my home
>> collection (whose URL was given as an example in the iCal client  
>> setup
>> instructions).
>>
>> i've logged bug 11587 at
>> https://bugzilla.osafoundation.org/show_bug.cgi?id=11587>.  i've
>> checked in a fix on the 0.10 branch and am about to merge it to the
>> trunk.
>>
>> the bug has existed since r5855, which occurred on the trunk during
>> 0.10 development. it is not present in 0.9.1 or earlier versions.
>>
>> while fixing that bug, i also discovered bug 11588, in which Cosmo
>> returns a 500 response to GET on a 0-length resource. the fix for  
>> this
>> bug is quite tiny, so I checked it into the 0.10 branch as well (and
>> will be merging it to the trunk shortly).
>>
>> neither of these bugs is targeted. i recommend a 0.10.1 release asap.
>> _______________________________________________
>> cosmo-dev mailing list
>> cosmo-dev at lists.osafoundation.org
>> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
>
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list