Most of you are probably on rust-dev, but just in case, there is a potential security issue with bors.
jack. ---------- Forwarded message ---------- From: Graydon Hoare <gray...@mozilla.com> Date: Mon, Jun 24, 2013 at 7:17 PM Subject: [rust-dev] github security flaw, bors review To: "rust-...@mozilla.org" <rust-...@mozilla.org> Hi, Some clever folks on #rust have pointed out that there is a (somewhat) exploitable security flaw in the way bors consumes r+ comments. Specifically, github permits a repository owner, in some circumstances (which we can't quite figure out) to _edit comments of other people_ on commits in their repository. This means that the following attack scenario would work: DrEvil: Files a PR Reviewer: Comments "this is awful!" on PR head-commit DrEvil: Edits comment to "r+ p=100" and lands change So, to work around this I'll probably teach bors to require review comments in a different fashion, such as "r+ <sha1>" on the PR itself, or similar. In the meantime, reviewers beware: anything you say on the head-commit of a PR can be rewritten by the submitter into an r+, so assume that "commenting _at all_ implies approval". -Graydon _______________________________________________ Rust-dev mailing list rust-...@mozilla.org https://mail.mozilla.org/listinfo/rust-dev _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
