Closed
Bug 658098
Opened 14 years ago
Closed 14 years ago
Security review for new PHP component of TBPL
Categories
(mozilla.org :: Security Assurance: Applications, task)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 661365
People
(Reporter: jgriffin, Assigned: rforbes)
References
Details
(Whiteboard: [completed secreview])
> A quick intro to what this app does.
This component interfaces with an ElasticSearch database, and reads/writes
orange comments for TBPL. The ES db is inside the firewall, however, this
PHP script has permissions to read/write from it, and the PHP script
will be visible to the world.
> Where is the source code located?
The source is not yet checked in, but it can be seen here:
https://bug601743.bugzilla.mozilla.org/attachment.cgi?id=525724
> Is there a stage server running that we can also test against? If so,
> please indicate what machine the web server is running on.
The code is running on a staging server here:
http://brasstacks.mozilla.com/tbpl/?tree=Firefox
The staged version is running against a local instance of ES, not
the production instance of ES, so any testing you do to it that results
in garbage in the db is fine.
> Where would you like the bugs filed in bugzilla? Please specify
> the product, component and if anyone specific should be copied
> on the bugs.
Please use Webtools -> Tinderboxpushlog, cc:ing jgriffin and mstange.
> Please describe if this app will be connecting to any internal or external
> services or if it is able to interact with the OS.
It doesn't interact with the OS (except for logging), but does interact
with an internal instance of ElasticSearch (database). It is able to
read and write to the database with limitations; it can't delete data
or modify existing data, only add new data.
> Does this app support logins or multiple roles? If so, we'll need
> test accounts created for each available role.
No logins or multiple roles.
> What is the worst case scenario that could happen with this system,
> data or connected systems? (This is used to help understand the
> criticality of this server.)
If the system went down, it would mean that developers could not star
oranges in TBPL, which would likely result in tree closures until
the problem was resolved.
> Does this website contain an administration page? If so, have the
> admin page blockers (listed here) all been addressed?
No admin page.
> This review will be scheduled amongst other requested reviews.
> What is the urgency or needed completion date of this review?
This is one of the last pieces needed for getting rid of tinderbox;
I think the developers would like it finished in a timely manner, but
it's not a fire drill.
Updated•14 years ago
|
Whiteboard: [pending secreview]
Assignee | ||
Updated•14 years ago
|
Assignee: infrasec → rforbes
Comment 1•14 years ago
|
||
I've filed another TBPL security review request in bug 661365 for the other PHP changes that are waiting to be deployed. The starcomment.php file which this bug is about is also included in the repository in bug 661365, so you might want to combine these two security reviews.
Assignee | ||
Comment 2•14 years ago
|
||
closing this bug as a duplicate to bug 661365 as per comment 1.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•14 years ago
|
Whiteboard: [pending secreview] → [completed secreview]
You need to log in
before you can comment on or make changes to this bug.
Description
•