Closed Bug 915406 Opened 7 years ago Closed 7 years ago

Security review for central idea behind Bugzilla Change Notification System

Categories

(bugzilla.mozilla.org Graveyard :: Bugzilla Change Notification System, defect)

Production
defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mcote, Assigned: ygjb)

References

Details

The Bugzilla team has been discussing the creation of a notification
system.  We want something very lightweight, with long-running
connections, that notifies users when particular bugs change.  The
current security system is very much set up for atomic requests and not
designed to handle something like this, but we don't want to attempt to
reimplement it, of course.

A few of us came up with a plan for a system that could sit directly on
the database and bypass the security layer by *severely* restricting the
data that is made available to the users:  bug ID and last-changed time
*only*.  A user could subscribe to *any* bug number, regardless of
visibility/privacy, but the *only* information they would get would be
when that bug changes--not what changed or any other details.  Thus the
maximum amount of information a user could get about a private bug would
be that it was modified X times during time T1 to T2.  The reason for the
changes would be completely unknown.  If a user wanted to know what
changed, they would have to do a *separate* call to the standard
Bugzilla API, in which all normal security checks would be performed as
usual.

We have a wiki page with further information at
https://wiki.mozilla.org/BMO/ChangeNotificationSystem

I would like to know if this is acceptable information to convey to a
user.  I can't think of a scenario in which this information could be
used to benefit a malicious user at all.  Note that a dedicated user can
already get *some* information on private bugs in the current system,
namely, how many there are and when new ones are created or existing
public ones are made private.
Flags: needinfo?(jstevensen)
Flags: sec-review? → sec-review?(yboily)
Waiting for feedback on opsec from this.
I agree, I don't think that knowing the ID of a changed bug is a security risk. I'm fine with this.
Flags: needinfo?(jstevensen)
Cool, closing this out so we can proceed with developing a prototype.
Blocks: 923849
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Sorry yvan, if you have any further comments, please add them and/or reopen.
Component: General → Bugzilla Change Notification System
Flags: sec-review?(yboily) → sec-review+
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.