Closed Bug 743067 Opened 13 years ago Closed 12 years ago

Security review of Dragnet (DLL Directory)

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: brandon, Assigned: mgoodwin)

Details

(Whiteboard: [completed secreview])

* This application is a database containing DLL file information based on crashes we have collected. It is editable only by those who are part of the Mozilla LDAP directory. * This app supports login and essentially two roles: a non-logged in user can only read; a logged in user can create new DLLs, leave comments, and edit existing DLL information. * The worst thing that can happen with this app is that the data could be compromised. Part of our mission here is that we want to provide a list of DLLs that has integrity, so people searching Google can find information about DLLs. This information, were it to be compromised by malware authors (and they will try), would potentially harm any number of user computers. * There is not a specific admin page. Any user that is logged in has access to all pages of the application at this time. * This is a Q2 goal.
assigned back to :brandon until we can get the information needed
Assignee: nobody → bsavage
The answers to these questions were in fact the opening description of this bug. Please let me know what specific additional information you need.
Sorry for the confusion, but it does not appear that they were all answered so if you can put them as an inline reply that would be helpful. Who is/are the point of contact(s) for this review? Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Are there any portions of the project that interact with 3rd party services? Will your application/service collect user data? If so, please describe If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
(In reply to Curtis Koenig [:curtisk] from comment #4) > Sorry for the confusion, but it does not appear that they were all answered > so if you can put them as an inline reply that would be helpful. > > Who is/are the point of contact(s) for this review? Brandon Savage, Laura Thomson > Please provide a short description of the feature / application (e.g. > problem solved, use cases, etc.): * This application is a database containing DLL file information based on crashes we have collected. It is editable only by those who are part of the Mozilla LDAP directory. > Please provide links to additional information (e.g. feature page, wiki) if > available and not yet included in feature description: There are no additional pages for this app. > Does this request block another bug? If so, please indicate the bug number > This review will be scheduled amongst other requested reviews. What is the > urgency or needed completion date of this review? This request doesn't block a specific bug but does block ship of this app in Q2, which is a goal. > Please answer the following few questions: (Note: If you are asked to > describe anything, 1-2 sentences shall suffice.) > > Does this feature or code change affect Firefox, Thunderbird or any product > or service the Mozilla ships to end users? No. > Are there any portions of the project that interact with 3rd party services? In the future this app will draw data from Bugzilla and Socorro, but presently does not. It will not interact with them on anything but a read-only level. > Will your application/service collect user data? If so, please describe This application will not collect user data beyond what is already stored in LDAP. Users who have an LDAP account will be able to leave comments, which may include their personal details. All comments and data will be publicly visible. > If you feel something is missing here or you would like to provide other > kind of feedback, feel free to do so here (no limits on size): > > Desired Date of review (if known from > https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) > and whom to invite.
Assignee: bsavage → curtisk
Whiteboard: [pending secreview]
Assignee: curtisk → nobody
Whiteboard: [pending secreview] → [pending secreview][triage needed 2012.05.02]
Assignee: nobody → mgoodwin
Status: NEW → ASSIGNED
Whiteboard: [pending secreview][triage needed 2012.05.02] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Any update on when this will be completed?
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [completed secreview]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.