Closed
Bug 782330
Opened 12 years ago
Closed 12 years ago
Whine emails show the summary of security sensitive bugs
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: ehsan.akhgari, Assigned: dkl)
References
Details
Attachments
(1 file)
|
1.54 KB,
patch
|
gerv
:
review+
|
Details | Diff | Splinter Review |
Thee emails are not encrypted, so third-parties could read the summary of those emails by intercepting them.
|
||
Updated•12 years ago
|
Component: General → Extensions: SecureMail
OS: Mac OS X → All
Hardware: x86 → All
|
Assignee | |
Comment 1•12 years ago
|
||
Question: Should we encrypt the whole email if one or more of the bugs list is a secure bug and leave the summary and other bug attributes intact, or should we create a hook and go through each list of bugs returned and remove the summary other information and leave a sanitized version of the summary in its place?
Number 1 would analyze the email bodies for bug ids, and then if one or more is secure, then encrypt the entire multipart message. Slightly less maintainable if the whine templates change slightly.
Number 2 could be done fairly simply by adding a hook into whine.pl that SecureMail could use that looks through the bug list before it is sent to the mail templates. Then we would just replace the summary for the secure bugs with a sanitized subject and leave the email unencrypted.
Preferences? I tend to lean towards number 2 although we would need to push the hook upstream as well whereas number 1 could be done entirely in SecureMail extension.
dkl
|
Reporter | |
Comment 2•12 years ago
|
||
I don't really have a strong preference either way, so I'll leave this for you to decide. :-)
|
||
Comment 3•12 years ago
|
||
I'd prefer number 2. If we encrypt the whole email, that's just another barrier to people reading and acting on it :-)
Gerv
|
|
Assignee | |
Comment 4•12 years ago
|
||
Ok. Will work on a patch for #2.
Assignee: nobody → dkl
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•12 years ago
|
||
Attachment #651821 -
Flags: review?(gerv)
|
|
||
Comment 6•12 years ago
|
||
Comment on attachment 651821 [details] [diff] [review]
Patch to filter secure bug data in whine emails (v1)
Looks good to me. Did you test it?
Gerv
Attachment #651821 -
Flags: review?(gerv) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #6)
> Looks good to me. Did you test it?
>
> Gerv
Of course :) Well in that I created two bugs, one secure and one not. Then created a saved search that included those two bug ids. Then scheduled a new whine that used that saved search as the query and sent it to myself. When viewing the data/mailer.testfile, I observed that the secure bug had all attributes scrubbed and the summary stated (Secure bug) while the insecure bug was untouched. It all seemed correct to me.
dkl
|
|
Reporter | |
Comment 8•12 years ago
|
||
(In reply to comment #7)
> (In reply to Gervase Markham [:gerv] from comment #6)
> > Looks good to me. Did you test it?
> >
> > Gerv
>
> Of course :) Well in that I created two bugs, one secure and one not. Then
> created a saved search that included those two bug ids. Then scheduled a new
> whine that used that saved search as the query and sent it to myself. When
> viewing the data/mailer.testfile, I observed that the secure bug had all
> attributes scrubbed and the summary stated (Secure bug) while the insecure bug
> was untouched. It all seemed correct to me.
FWIW this scenatio matches mine almost perfectly.
|
|
Assignee | |
Comment 9•12 years ago
|
||
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.0
modified whine.pl
modified extensions/SecureMail/Extension.pm
Committed revision 8275.
Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
modified whine.pl
modified extensions/SecureMail/Extension.pm
Committed revision 8299.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•12 years ago
|
||
Can we make sure this hook gets pushed upstream?
|
|
Assignee | |
Comment 11•12 years ago
|
||
(In reply to Reed Loden [:reed] from comment #10)
> Can we make sure this hook gets pushed upstream?
Yep. Was getting ready to file the bug :)
dkl
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 12•12 years ago
|
||
(In reply to David Lawrence [:dkl] from comment #11)
> (In reply to Reed Loden [:reed] from comment #10)
> > Can we make sure this hook gets pushed upstream?
>
> Yep. Was getting ready to file the bug :)
>
> dkl
bug 783107
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 13•12 years ago
|
||
(In reply to comment #2)
> I don't really have a strong preference either way, so I'll leave this for you
> to decide. :-)
Actually with this deployed, I changed my mind. It would be really good if those emails can be encrypted. Without that, my security bug whines have turned pretty useless. :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 14•12 years ago
|
||
since this has been deployed, i've filed a bug 784578 for your request (we can't track to different requests on the same bug).
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 15•12 years ago
|
||
(In reply to comment #14)
> since this has been deployed, i've filed a bug 784578 for your request (we
> can't track to different requests on the same bug).
Sounds good, thanks!
|
||
Updated•5 years ago
|
Component: Extensions: SecureMail → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•