Security vulnerability in bugs and answers

Asked by Nick on 2010-04-21

Hello, This was actually pointed out to me by one of my users. The bugs and answers modules allows anyone to edit the status, description, assignee and more. All the user has to do is signup using some fake account (like i did) and go to a bug/question and they have the same amount of access as the assignee or person posting the bug/question would. If they try to change anything in a blueprint then it says access is denied. Can someone please fix this so that only people that are subscribed to a bug/question can edit it or so that they have to be approved assignee before editing it. As you can see on this question (https://answers.launchpad.net/lilregcleaner/+question/96998) the user commented on this vulnerability. I have tested it on edge.launchpad.net as well. Thanks!

As you can see I am able to edit this question even though I am not at all related to this question!

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Nick
Solved:
2010-04-22
Last query:
2010-04-22
Last reply:
2010-04-21
Curtis Hovey (sinzui) said : #1

Why is this a security issue? Launchpad encourages contribution by allowing users to provide information and make changes. Projects or artefacts like bugs and questions ar owned by the community.

Your prescribed enhacement does not address non-subscriiptions such as assignees reporters, launchapd processes.

Edwin Grubbs (edwin-grubbs) said : #2

I think the most important part of the problem is that the description of a bug or summary can be edited without it being clear that it was changed by someone other than the person who submitted the bug or question. I agree that we shouldn't restrict the community from making changes, but it should be obvious which member of the community has made a change. I think this question should be turned into a bug for that feature.

Gavin Panella (allenap) said : #3

If a bug description is modified from the original, a "See original description" link appears nearby, and all bug activity can be seen on the +activity page, so I think this issue only really applies to Launchpad Answers.

Nick (ub3rst4r) said : #4

Thank you for the timely response. I may have to add a forum for my software so that it will be a little more easier for users to submit questions as some have said this is a unfriendly site.

- Nick