[Bug 52448] New: Don't allow others to close random tubes

Wed Jul 25 01:02:46 CEST 2012

https://bugs.freedesktop.org/show_bug.cgi?id=52448

             Bug #: 52448
           Summary: Don't allow others to close random tubes
    Classification: Unclassified
           Product: Telepathy
           Version: git master
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: gabble
        AssignedTo: telepathy-bugs at lists.freedesktop.org
        ReportedBy: jonny.lamb at collabora.co.uk
         QAContact: telepathy-bugs at lists.freedesktop.org


(From bug #32612 comment #6):
> +private_tubes_factory_tube_close_cb (
> ...
> + if (!tube_msg_checks (self, msg, node, NULL, &tube_id))
> + return FALSE;
> 
> Er, this function allows Alice to close tubes between us and Bob, if she can
> guess or brute-force the tube ID. Pre-existing bug?
> 
> + DEBUG ("tube ID already in use; do not open the offered tube and close "
> + "the existing tube if it's to the same contact");
> 
> Not a merge blocker and presumably not your fault, but these semantics are
> crazy. We should have a separate tube ID "namespace" per peer, and store tubes
> in the hash table by (handle, id) tuples or something.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.