Joomla! Issue Tracker - J!Tracker

Download
Launch
Feeling Lucky

[#485] - Security issue with differences

enhancement
avatar brianteeman
brianteeman
10 Sep 2014

Is the differences button available to everyone or just some users?

If it is for everyone then there is a potential security issue. A user could enter confidential information here such as their site login details and we can never remove it as it will always be accessible by clicking on differences

If the differences button is only for users with elevated privileges then its not an issue

avatar brianteeman brianteeman - open - 10 Sep 2014
avatar b2z
b2z - comment - 10 Sep 2014

It is for everyone...

avatar elkuku
elkuku - comment - 10 Sep 2014

Yes you only need "view" permissions to see those differences.

I think we can add a "delete event" functionality (we still need to implement that for comments I guess)

The last option would be to "hack" the database and manually delete the offending row...

avatar brianteeman
brianteeman - comment - 11 Sep 2014

Do we need the differences button?
I'm very concerned about this as its very common for users to post usernames and passwords

avatar elkuku
elkuku - comment - 11 Sep 2014

Do we want to track changes to the title or description text?

avatar brianteeman
brianteeman - comment - 11 Sep 2014

Personally I don't see the need to track any changes. What is the use case?
On 11 Sep 2014 04:18, "Nikolai Plath" notifications@github.com wrote:

Do we want to track changes to the title or description text?


Reply to this email directly or view it on GitHub
#485 (comment).

avatar mbabker
mbabker - comment - 11 Sep 2014

Some of it serves as an audit log of sorts. Some of it is data that was
tracked in JoomlaCode. We weren't tracking the issue descriptions though.

On Thursday, September 11, 2014, Brian Teeman notifications@github.com
wrote:

Personally I don't see the need to track any changes. What is the use
case?
On 11 Sep 2014 04:18, "Nikolai Plath" > wrote:

Do we want to track changes to the title or description text?


Reply to this email directly or view it on GitHub
#485 (comment).


Reply to this email directly or view it on GitHub
#485 (comment).

avatar brianteeman
brianteeman - comment - 11 Sep 2014

The easiest option then (without seeing the code) is not to track the
descriptions or comments.

On 11 September 2014 06:51, Michael Babker notifications@github.com wrote:

Some of it serves as an audit log of sorts. Some of it is data that was
tracked in JoomlaCode. We weren't tracking the issue descriptions though.

On Thursday, September 11, 2014, Brian Teeman notifications@github.com
wrote:

Personally I don't see the need to track any changes. What is the use
case?
On 11 Sep 2014 04:18, "Nikolai Plath" > wrote:

Do we want to track changes to the title or description text?


Reply to this email directly or view it on GitHub
#485 (comment).


Reply to this email directly or view it on GitHub
#485 (comment).


Reply to this email directly or view it on GitHub
#485 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar b2z b2z - change - 14 Sep 2014
Labels Added: enhancement
avatar b2z b2z - reference | - 2 Nov 14
avatar b2z
b2z - comment - 2 Nov 2014

Now the difference will be tracked, but not displayed. If you feel that we need to change the behavior open this issue again ;)

avatar b2z b2z - close - 2 Nov 2014
avatar b2z b2z - close - 2 Nov 2014
avatar b2z b2z - change - 2 Nov 2014
Status New Closed
Closed_Date 0000-00-00 00:00:00 2014-11-02 12:35:52

Add a Comment

Login with GitHub to post a comment