Opened 17 years ago

Closed 17 years ago

#69 closed defect (fixed)

Owner and Administrator are not validated well

Reported by: andersk Owned by: ecprice
Priority: major Milestone: Public Beta
Component: web Version:
Keywords: Cc:

Description

When creating or modifying a VM, the administrator is not validated. We should check that it is a valid user or group.

Change History (4)

comment:1 Changed 17 years ago by andersk

  • Priority changed from major to critical
  • Summary changed from Owner and Administrator is not validated to Owner and Administrator are not validated

The validation on the owner field totally sucks. Try making a VM owned by

../afs/numenor.mit.edu/<script>alert("moo")</script>

comment:2 Changed 17 years ago by broder

  • Milestone set to Public Beta
  • Priority changed from critical to major
  • Summary changed from Owner and Administrator are not validated to Owner and Administrator are not validated well

Ok - made a first round attempt at fixing this. Anders suggests that we should verify a locker exists by querying Hesiod and using the admof program that scripts uses (https://scripts.mit.edu:1111/server/common/oursrc/accountadm/)

comment:3 Changed 17 years ago by ecprice

Are owner checking of:

  • String lacking '/' and not '.' and '..'
  • fs la /mit/<string> returns 0.

and admin checking of:

  • vos exa user.<admin> or pts mem <admin>

not sufficient?

comment:4 Changed 17 years ago by ecprice

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.