P4DTI issue job000203

TitleUsers can masquerade as other users
Assigned userRichard Brooksby
DescriptionBecause users are matched by e-mail address between the defect tracker and Perforce, you can fool the replicator by running "p4 user" and editing your email address.
AnalysisThis is a security hole. We could ameliorate the problem by switching the algorithm so it works on userid first and e-mail address second, or by reporting duplicate Perforce e-mail addresses.
How foundmanual_test
Evidence<http://www.ravenbrook.com/project/p4dt...c/2001-02-01/release-0.5.1-test-report/>, item 4.
Observed in0.5.1
Introduced in0.4.0
Created byGareth Rees
Created on2001-02-13 15:42:13
Last modified byGareth Rees
Last modified on2001-12-10 19:22:38
History2001-02-13 GDR Created.
2001-10-02 GDR Closed: duplicate Perforce e-mail addresses are reported so you can't masquerade without being found out.


Change Effect Date User Description
22875 closed 2001-10-02 18:17:13 Gareth Rees Report Perforce users with duplicate e-mail addresses as well.