Opened 16 years ago
Closed 16 years ago
#69 closed defect (fixed)
Owner and Administrator are not validated well
| Reported by: | andersk | Owned by: | ecprice |
|---|---|---|---|
| Priority: | major | Milestone: | Public Beta |
| Component: | web | Version: | |
| Keywords: | Cc: |
Description
When creating or modifying a VM, the administrator is not validated. We should check that it is a valid user or group.
Change History (4)
comment:1 Changed 16 years ago by andersk
- Priority changed from major to critical
- Summary changed from Owner and Administrator is not validated to Owner and Administrator are not validated
comment:2 Changed 16 years ago by broder
- Milestone set to Public Beta
- Priority changed from critical to major
- Summary changed from Owner and Administrator are not validated to Owner and Administrator are not validated well
Ok - made a first round attempt at fixing this. Anders suggests that we should verify a locker exists by querying Hesiod and using the admof program that scripts uses (https://scripts.mit.edu:1111/server/common/oursrc/accountadm/)
comment:3 Changed 16 years ago by ecprice
Are owner checking of:
- String lacking '/' and not '.' and '..'
- fs la /mit/<string> returns 0.
and admin checking of:
- vos exa user.<admin> or pts mem <admin>
not sufficient?
comment:4 Changed 16 years ago by ecprice
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
The validation on the owner field totally sucks. Try making a VM owned by
../afs/numenor.mit.edu/<script>alert("moo")</script>