Bug w/ bugzilla and loadbalancing
gerv at mozilla.org
Fri Sep 20 23:21:53 BST 2002
>>>So long actually that I didn't read it :-)
>>Read it. Basically its just a security measure against a cookie stealing
Bugzilla accepts attachments from basically anyone, and serves them up
to you. An HTML attachment with a script could easily steal your cookies
when you viewed it. Restricting to a single IP means that the login
cookie is useless to the thief.
>>There is a patch for this case attached to the bugreport but it doesn't
>>seem to be optimal. at least not clean enough for committing it.
bbaetz is still working on it, but he's very busy. The current patch
didn't get review, and it'll have rotted a fair bit by now. A refreshed
patch submitted by someone from the KDE project would be very welcome.
I'd go for the SQWebmail solution - a "restrict to your IP address"
option on the login screen, checked by default. Unchecking it allows any
IP in your Class C to use your cookie. Optionally, the size of the class
could be admin-configurable. I think bbaetz' patch is along these lines.
> Right. My fix would be to put the IP in the cookie path. That would solve
> the actual problem that your cookie for IP A goes away as soon as IP B
> appears. Of course you still had to relogin on IP change.
Er... so how does that fix anything, then? :-) The idea is to not have
to relogin on IP change.
More information about the kde-core-devel