[katello-devel] Question on Org API
Lukas Zapletal
lzap at redhat.com
Tue Nov 20 17:15:21 UTC 2012
On Tue, Nov 20, 2012 at 08:11:55AM -0500, Bryan Kearney wrote:
> >>Does anyone have an issue with making the api
> >>
> >>"/organizations/:id"
> >
> >I have an issue, security one. Imagine the following org:
> >
> >Name: "a"
> >Label: "b"
> >
> >Now attacker could create this org:
> >
> >Name: "b"
> >Label: "x"
> >
> >of
> >
> >Name "y"
> >Label: "a"
> >
> >Depends on which we would prioritize when both are found (name or
> >label), attacker could inject this organization instead known name or
> >label. Bang, we have man-in-middle attack, depending on what can be done
> >on the patch, you could for example register a machine against wrong
> >organization.
> >
> >I think we need to create a constraint: Label and Name of all resources
> >needs to be unique. Meaning if there is already label "a" no
> >organization can have label "a" or name "a".
> >
> >LZ
> >
> Seems fair.
Damn I had to have two coffee brakes while writing my mail, some
sentences does not make sense and there are some typos. Anyway, the idea
is to make sure the :id is unique - what dmitri said.
--
Later,
Lukas "lzap" Zapletal
#katello #systemengine
More information about the katello-devel
mailing list