[Bug 52448] New: Don't allow others to close random tubes
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Jul 25 01:02:46 CEST 2012
https://bugs.freedesktop.org/show_bug.cgi?id=52448
Bug #: 52448
Summary: Don't allow others to close random tubes
Classification: Unclassified
Product: Telepathy
Version: git master
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: gabble
AssignedTo: telepathy-bugs at lists.freedesktop.org
ReportedBy: jonny.lamb at collabora.co.uk
QAContact: telepathy-bugs at lists.freedesktop.org
(From bug #32612 comment #6):
> +private_tubes_factory_tube_close_cb (
> ...
> + if (!tube_msg_checks (self, msg, node, NULL, &tube_id))
> + return FALSE;
>
> Er, this function allows Alice to close tubes between us and Bob, if she can
> guess or brute-force the tube ID. Pre-existing bug?
>
> + DEBUG ("tube ID already in use; do not open the offered tube and close "
> + "the existing tube if it's to the same contact");
>
> Not a merge blocker and presumably not your fault, but these semantics are
> crazy. We should have a separate tube ID "namespace" per peer, and store tubes
> in the hash table by (handle, id) tuples or something.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the telepathy-bugs
mailing list