Closed Bug 915406 Opened 12 years ago Closed 12 years ago

Security review for central idea behind Bugzilla Change Notification System

Categories

(bugzilla.mozilla.org Graveyard :: Bugzilla Change Notification System, defect)

Product:
bugzilla.mozilla.org Graveyard
Component:
Bugzilla Change Notification System
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcote, Assigned: ygjb)

References

Details

The Bugzilla team has been discussing the creation of a notification system. We want something very lightweight, with long-running connections, that notifies users when particular bugs change. The current security system is very much set up for atomic requests and not designed to handle something like this, but we don't want to attempt to reimplement it, of course. A few of us came up with a plan for a system that could sit directly on the database and bypass the security layer by *severely* restricting the data that is made available to the users: bug ID and last-changed time *only*. A user could subscribe to *any* bug number, regardless of visibility/privacy, but the *only* information they would get would be when that bug changes--not what changed or any other details. Thus the maximum amount of information a user could get about a private bug would be that it was modified X times during time T1 to T2. The reason for the changes would be completely unknown. If a user wanted to know what changed, they would have to do a *separate* call to the standard Bugzilla API, in which all normal security checks would be performed as usual. We have a wiki page with further information at https://wiki.mozilla.org/BMO/ChangeNotificationSystem I would like to know if this is acceptable information to convey to a user. I can't think of a scenario in which this information could be used to benefit a malicious user at all. Note that a dedicated user can already get *some* information on private bugs in the current system, namely, how many there are and when new ones are created or existing public ones are made private.
Flags: needinfo?(jstevensen)
Flags: sec-review? → sec-review?(yboily)
Waiting for feedback on opsec from this.
I agree, I don't think that knowing the ID of a changed bug is a security risk. I'm fine with this.
Flags: needinfo?(jstevensen)
Cool, closing this out so we can proceed with developing a prototype.
Blocks: 923849
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Sorry yvan, if you have any further comments, please add them and/or reopen.
Component: General → Bugzilla Change Notification System
Flags: sec-review?(yboily) → sec-review+
Product: bugzilla.mozilla.org → bugzilla.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.