Launchpad itself

Merge lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments into lp:launchpad/db-devel

  1. bug-39674-update-retricted-flag-of-private-bugattachments
  2. Merge into db-devel
Proposed by Abel Deuring
Status: Merged
Merged at revision: 9617
Proposed branch: lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments
Merge into: lp:launchpad/db-devel
Diff against target: 18 lines (+14/-0)
1 file modified
database/schema/patch-2207-79-0.sql (+14/-0)
To merge this branch: bzr merge lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments
Reviewer Review Type Date Requested Status
Stuart Bishop (community) db Approve
Robert Collins (community) Needs Fixing
Review via email: mp+31563@code.launchpad.net

Description of the change

This branch adds a schema patch to update the "restricted" flag of LibraryFileAlias records belonging to bug attachments of private bugs.

A related branch, lp:~adeuring/launchpad/bug-39674-flip-lfa-restricted-flag , will land soon which will set LFA.restricted when a bug attachment is added to a private bug or when Bug.setPrivate() is called. We should also set LFA.restricted for existing data once this branch is merged.

To post a comment you must log in.
Revision history for this message
Robert Collins (lifeless) wrote :

So, we have a problem here - making user content visible in the launchpad.net domain is a huge security hole - we can't do it at all safely - we need to either:
 - set content-disposition: attachment
 - serve the content from a different domain (I have a proof of concept branch working on this).

So, while this is slightly the wrong venue, we need to ensure that one of the two above things happens *before* any private bug attachments are served.

review: Needs Fixing
Revision history for this message
Abel Deuring (adeuring) wrote :

On 03.08.2010 00:36, Robert Collins wrote:
> Review: Needs Fixing
> So, we have a problem here - making user content visible in the launchpad.net domain is a huge security hole - we can't do it at all safely - we need to either:
> - set content-disposition: attachment
> - serve the content from a different domain (I have a proof of concept branch working on this).

Could you elaborate a bit what the security hole is?

(and, BTW, I'm using the standard pattern for proxied LFAs, so, if they
have a security problem, this problem exists too in other places where
restricted LFAs are used. And while these other uses cases may not be as
problematic as a core dump file visible to the wrong person, the current
situation is worse for bug attachments: All of them are public.)

>
> So, while this is slightly the wrong venue, we need to ensure that one of the two above things happens *before* any private bug attachments are served.

As I wrote above -- we serve them since years completely unrestricted...

Revision history for this message
Robert Collins (lifeless) wrote :

I've filed a separate bug about this this morning, and chatted with
Abel on IRC, I think we're all on the same page now.

Revision history for this message
Abel Deuring (adeuring) wrote :

> So, we have a problem here - making user content visible in the launchpad.net
> domain is a huge security hole - we can't do it at all safely - we need to
> either:
> - set content-disposition: attachment
> - serve the content from a different domain (I have a proof of concept branch
> working on this).
>
> So, while this is slightly the wrong venue, we need to ensure that one of the
> two above things happens *before* any private bug attachments are served.

This is fixed in a different branch: lp:~adeuring/launchpad/bug-612779

Revision history for this message
Stuart Bishop (stub) wrote :

This is fine and should be fairly quick and doable as a database patch.

patch-2207-79-0.sql

review: Approve (db)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'database/schema/patch-2207-79-0.sql'
2--- database/schema/patch-2207-79-0.sql 1970-01-01 00:00:00 +0000
3+++ database/schema/patch-2207-79-0.sql 2010-08-04 09:15:56 +0000
4@@ -0,0 +1,14 @@
5+-- Copyright 2010 Canonical Ltd. This software is licensed under the
6+-- GNU Affero General Public License version 3 (see the file LICENSE).
7+
8+-- Update the flag restricted of LibraryFileAlias records which belong
9+-- to bug attachments of private bugs.
10+
11+SET client_min_messages=ERROR;
12+
13+UPDATE LibraryFileAlias SET restricted=true
14+ WHERE id IN (
15+ SELECT libraryfile from BugAttachment, Bug
16+ WHERE BugAttachment.bug = Bug.id AND Bug.private);
17+
18+INSERT INTO LaunchpadDatabaseRevision VALUES (2207, 79, 0);

Subscribers

People subscribed via source and target branches

to status/vote changes: