Bug w/ bugzilla and loadbalancing

Gervase Markham gerv at mozilla.org
Fri Sep 20 23:21:53 BST 2002


>>>http://bugzilla.mozilla.org/show_bug.cgi?id=20122
>>>So long actually that I didn't read it :-)
>>
>>Read it. Basically its just a security measure against a cookie stealing
>>attack.

Bugzilla accepts attachments from basically anyone, and serves them up 
to you. An HTML attachment with a script could easily steal your cookies 
when you viewed it. Restricting to a single IP means that the login 
cookie is useless to the thief.

>>There is a patch for this case attached to the bugreport but it doesn't
>>seem to be optimal. at least not clean enough for committing it.

bbaetz is still working on it, but he's very busy. The current patch 
didn't get review, and it'll have rotted a fair bit by now. A refreshed 
patch submitted by someone from the KDE project would be very welcome. 
I'd go for the SQWebmail solution - a "restrict to your IP address" 
option on the login screen, checked by default. Unchecking it allows any 
IP in your Class C to use your cookie. Optionally, the size of the class 
could be admin-configurable. I think bbaetz' patch is along these lines.

> Right. My fix would be to put the IP in the cookie path. That would solve
> the actual problem that your cookie for IP A goes away as soon as IP B
> appears. Of course you still had to relogin on IP change.

Er... so how does that fix anything, then? :-) The idea is to not have 
to relogin on IP change.

Gerv





More information about the kde-core-devel mailing list