| Anonymous | Login | 01-26-2021 02:35 UTC |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0007617 | [Squeak] www.squeak.org | block | always | 03-21-11 02:15 | 03-21-11 02:17 | |||||||
| Reporter | matthewf | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | urgent | Resolution | open | |||||||||
| Status | new | Product Version | ||||||||||
| Summary | 0007617: Monticello versions in SqueakSource can be overwritten | |||||||||||
| Description |
When uploading a .mcz file to SqueakSource, it apparently does no check to see if something is already there by that name, and overwrites it. This is a huge security hole. It means that anybody on the internet with a WebDav client could erase or alter the development history of any open repository (Squeak or pharo inboxes, for instance), and any rogue committer could do it for critical repositories (trunk, pharo). Short of malice, this can also be done accidentally, and recently happened on the VMMaker project: http://lists.squeakfoundation.org/pipermail/vm-dev/2011-March/007222.html [^] |
|||||||||||
| Additional Information | ||||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
|
| There are no notes attached to this issue. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 03-21-11 02:15 | matthewf | New Issue | |
| 03-21-11 02:15 | matthewf | Status | new => assigned |
| 03-21-11 02:15 | matthewf | Assigned To | => KarlRamberg |
| 03-21-11 02:16 | matthewf | Assigned To | KarlRamberg => |
| 03-21-11 02:17 | matthewf | Status | assigned => new |
| Mantis 1.0.8[^]
Copyright © 2000 - 2007 Mantis Group
32 total queries executed. 27 unique queries executed. |  |
