On Mar 26, 2007, at 12:25 PM, Perrin Harkins wrote:
That's easy to say in this specific case, since the actual threat is
so tiny that it didn't make much difference. You guys probably
wouldn't think it was such a good idea if it had been a more serious
exploit and someone had used it to compromise your servers before a
fix was available.
Keep in mind -- in this specific case the discussion was such ( the
first 3 emails ):
From: [EMAIL PROTECTED]
Date: March 22, 2007 11:57:41 AM EDT
Subject: [mp1] PerlRun fails if path_info contains special
symbols
From: [EMAIL PROTECTED]
Date: March 22, 2007 11:04:37 PM EDT
Subject: Re: [mp1] PerlRun fails if path_info contains special
symbols
From: merlyn@stonehenge.com
Date: March 22, 2007 11:20:48 PM EDT
Subject: MP1 Security issue (was Re: [mp1] PerlRun fails if
path_info contains special symbols)
It's not the case that Randal found an exploit and said "Hey
developers ! there's a security breach I found" -- which a lot of
these postings insinuate.
Alex found the issue, and reported it as a bug.
Perrin asked, 'do you think you can patch it?'
Randal replied "wait - this isn't a bug, its a security issue. this
needs faster attention"
Randal didn't raise an report an new security threat -- he re-
categorized an active bug discussion as a security threat.
People have commented "This isn't the proper way to report a security
threat." Well, right now ModPerl doesn't have a published protocol
for dealing with security threats.
In fact, there's no security policy *at all* on the mod perl
website. There also aren't any listings or contact addresses for
project maintainers -- the closest thing available is a current +
historical intermingled list of people who have contributed. All the
"Repot a bug" information make it very clear that everything should
be posted to the mailing list for discussion, and there is no mention
of "if you believe this could have security implications, please do
not post it publicly".
That said, I think the suggestion to email "info , support ,
security" as a first step is ridiculous -- they're not addresses
universally used across projects , and shouldn't be expected to work
as such. There's about as much rationale to crossing your fingers
and hoping someone sees those messages as writing to
"[EMAIL PROTECTED]" .
I suggest the core developers devise some protocol + notification
scheme / contact addresses they feel comfortable with, and publish it
on these pages:
Reporting bugs
http://perl.apache.org/bugs/index.html
http://perl.apache.org/docs/1.0/guide/help.html#How_to_Report_Problems
http://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems
Getting Help
http://perl.apache.org/help/index.html
It could be as simple as:
"If you think you have found a security threat, please email _______
and give us 7 days to respond and work out a disclosure scheme with
you."
We're all fortunate that this discussion happened around a trivial
threat in a largely insignificant/unused feature -- but there should
be a system or directions in place for the unlikely event that
someone else finds a serious bug and follows every piece of
information on the website that says "just post it to the mailing list".
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -