| Title | Users can masquerade as other users |
| Status | closed |
| Priority | nice |
| Assigned user | Richard Brooksby |
| Organization | Ravenbrook |
| Description | Because users are matched by e-mail address between the defect tracker and Perforce, you can fool the replicator by running "p4 user" and editing your email address. |
| Analysis | This is a security hole. We could ameliorate the problem by switching the algorithm so it works on userid first and e-mail address second, or by reporting duplicate Perforce e-mail addresses. |
| How found | manual_test |
| Evidence | <http://www.ravenbrook.com/project/p4dt...c/2001-02-01/release-0.5.1-test-report/>, item 4. |
| Observed in | 0.5.1 |
| Introduced in | 0.4.0 |
| Created by | Gareth Rees |
| Created on | 2001-02-13 15:42:13 |
| Last modified by | Gareth Rees |
| Last modified on | 2001-12-10 19:22:38 |
| History | 2001-02-13 GDR Created. 2001-10-02 GDR Closed: duplicate Perforce e-mail addresses are reported so you can't masquerade without being found out. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 22875 | closed | 2001-10-02 18:17:13 | Gareth Rees | Report Perforce users with duplicate e-mail addresses as well. |