1198028 - Tie attachment security tokens to IP address of user

Status: NEW

(Bugzilla :: Attachments & Requests, enhancement)

Description

[Gervase Markham [:gerv]]

There have been two problems recently which allowed the stealing or reuse of attachment security access tokens. One was a configuration problem of the environment around Bugzilla, and one was a browser bug. See bug 1179241, bug 1190449 and bug 1189814.

It seems like a good defence-in-depth move to lock security attachment access tokens to the IP address of the user, so they are much less useful if stolen. Given that these tokens are used a second or so after being issued, it seems unlikely that a user will change IP address in that time except very, very rarely. So I would expect no compatibility impact.

Gerv

Comment 1

[:glob ✱]

(In reply to Gervase Markham [:gerv] from comment #0)
> it seems unlikely that a user will change IP address in that time except
> very, very rarely.

.. unless they are mobile, or using a multi-homed network (such as a conference or a hotel).

Comment 2

[Gervase Markham [:gerv]]

(In reply to Byron Jones ‹:glob› from comment #1)
> .. unless they are mobile, or using a multi-homed network (such as a
> conference or a hotel).

Mobile does mean IP addresses change, but not every second. So a failure would still be rare. 

Do multi-homed networks not implement IP address affinity for connections? I'd expect lack of that to break quite a few things...

Gerv

Comment 3

[:glob ✱]

(In reply to Gervase Markham [:gerv] from comment #2)
> (In reply to Byron Jones ‹:glob› from comment #1)
> > .. unless they are mobile, or using a multi-homed network (such as a
> > conference or a hotel).
> 
> Mobile does mean IP addresses change, but not every second. So a failure
> would still be rare. 

i apologise - i had login ip address restrictions in my mind, instead of this very short lived token, and my hinted-at concerns in comment 1 were not well founded.

i think this is a great idea :)