Re: Bug: committers can set arbitrary HTTP Headers on any file

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: 2007-08-10 20:50:49 CEST

Brian W. Fitzpatrick wrote:
> On 8/10/07, Ben Collins-Sussman <sussman@red-bean.com> wrote:
>> Well, um, it might be a security hole. Look at this paper:
>>
>> http://www.cgisecurity.com/lib/whitepaper_httpresponse.pdf
>
> And if I can set the body of the response to whatever I want, then
> surely *that's* a security hole, no?

Yeah, I think that's the key distinction here. The only people who can
cause this behavior are those with commit access to the repository. But if
they've gotten that far, the security hole isn't in your software -- it's in
your social network. :-)

-- 
C. Michael Pilato <cmpilato@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

application/pgp-signature attachment: OpenPGP digital signature

Received on Fri Aug 10 20:48:54 2007

This message: [ Message body ]
Next message: Arfrever Frehtes Taifersar Arahesis: "Re: Neon 0.26.4 and configure.in"
Previous message: Brian W. Fitzpatrick: "Re: Bug: committers can set arbitrary HTTP Headers on any file"
In reply to: Brian W. Fitzpatrick: "Re: Bug: committers can set arbitrary HTTP Headers on any file"
Next in thread: Brian W. Fitzpatrick: "Re: Bug: committers can set arbitrary HTTP Headers on any file"
Reply: Brian W. Fitzpatrick: "Re: Bug: committers can set arbitrary HTTP Headers on any file"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]