Ravenbrook / Projects / Perforce Defect Tracking Integration / Issues
Perforce Defect Tracking Integration
| Title: | Users can masquerade as other users |
| Status: | closed |
| Priority: | nice |
| Assigned user: | Richard Brooksby |
| Product: | p4dti |
| Organization: | Ravenbrook |
| Description: | Because users are matched by e-mail address between the defect tracker and Perforce, you can fool the replicator by running "p4 user" and editing your email address. |
| Analysis: | This is a security hole. We could ameliorate the problem by switching the algorithm so it works on userid first and e-mail address second, or by reporting duplicate Perforce e-mail addresses. |
| How found: | manual_test |
| Evidence: | <http://www.ravenbrook.com/project/p4dti/doc/2001-02-01/release-0.5.1-test-report/>, item 4. |
| Observed in: | 0.5.1 |
| Introduced in: | 0.4.0 |
| Test procedure: | none |
| Created by: | gdr |
| Created on: | 2001-02-13 15:42:13 |
| Last modified by: | gdr |
| Last modified on: | 2001-12-10 19:22:38 |
| History: | 2001-02-13 GDR Created. 2001-10-02 GDR Closed: duplicate Perforce e-mail addresses are reported so you can't masquerade without being found out. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 22875 | closed | 2001-10-02 18:17:13 | gdr | Report Perforce users with duplicate e-mail addresses as well. |
Generated at 2008-12-02 04:57:38 by $Id: //info.ravenbrook.com/infosys/cgi/issue.cgi#430 $
Copyright © Ravenbrook Limited. This document is provided "as is", without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this document. You may make and distribute verbatim copies of this document provided that you do not charge a fee for this document or for its distribution.