Mercurial > p > roundup > code

diff CHANGES.txt @ 6375:c4371ec7d1c0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Call verifyPassword even if user does not exist. Address timing attack caused by not doing the password check if the user doesn't exist. Can expose valid usernames. Really only useful for a tracker that doesn't allow anonymous access to issues. Issues usually show usernames as part of the message display.
author John Rouillard <rouilj@ieee.org>
date Tue, 06 Apr 2021 22:51:55 -0400
parents 58817c3bf471
children a7e7314fb7d9
line wrap: on
line diff
--- a/CHANGES.txt	Mon Apr 05 22:42:07 2021 -0400
+++ b/CHANGES.txt	Tue Apr 06 22:51:55 2021 -0400
@@ -73,6 +73,9 @@
 - issue2551108 - fix handling of designator links when formatted
   as markdown links. (Reported by Cedric Krier; John Rouillard)
 - Fix filename created from mail attachments, fixes issue2551118
+- Call verifyPassword even if user does not exist. Address timing
+  attack to discover valid account names. Useful where anonymous user
+  is not allowed access. (John Rouillard)
 
 Features:
 - issue2550522 - Add 'filter' command to command-line
Roundup Issue Tracker: http://roundup-tracker.org/