juanpablo-santos commented on PR #228: URL: https://github.com/apache/jspwiki/pull/228#issuecomment-1284553889
Hi, as of the PR: > To clarify, the uid is not ever controlled by an outside actor? It is only ever an internal value not supplied by user controlled data? I'm saying it doesn't matter. Worst case scenario, you'll try to traverse directories inside the jspwiki working directory (set up by an administrator) so most probably you'd be able to see lucene files or things like that, if you guess the autogenerated file names. But that shouldn't happen because the requested/traversed file path is compared against a computer generated value (cookieDir inside jspwiki working dir), and if the first doesn't start with the second, the file isn't served. --- as for the way of working/disclosing vulnerabilities: my main concern is with public disclosure because there's no time / the scale is too big / YOLO. IMHO, working at that scale is no excuse for public disclosure. Suppose you find next log4shell or whatever, do you think publicly disclosing that is responsible? Lack of tooling is no excuse - just build that. > For ASF projects, you can directly follow up with these instructions; since there are more than 200 ASF projects, plus the incubating ones, surely that's worth automating. > > I'm struggling to understand what you're asking for here with these two comments. They seem to contradict eachother. I (re)wrote the comment several times, in order to just cool down. The original thought was that if you prefer to continue mass disclosing, at least please consider for ASF projects changing your tooling so that instead of opening a PR, thus publicly disclosing, just follow the aforementioned instructions. Surely other big projects have their own security vulnerabilities reporting, out of the head I'm thinking of Spring or Eclipse Foundation projects... they'll surelly appreciate that too. > I am taking feedback like yours into consideration. I'm sorry that this upset you so much. > > If you'd like to setup some time to discuss your feelings and potential solutions in more detail, feel free to grab a slot on my calendar. I'm more than happy to chat. No hard feelings, so no worry about that (although I don't wish to pursue this further). I'll proceed with closing the issue, however if you feel the PR needs further discussion feel free to reopen. best regards, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@jspwiki.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
