Security Vulnerability

[mschop]

Hi @ignacionelson ,

I have tried to contact you through contact@projectsend.org but unfortunately no one is answering to me. You have critical security vulnerabilities in your code. Could you please tell me, how you plan to approach this issue or take any other action? Otherwise I have to publish the security problem here on Gitlab.

Best Regards
mschop

[ignacionelson]

Hello! Can you please resend you email? Are this vulnerabilities still present on version r1053? Thank you!

[mschop]

Hi, I've just sent a new email. The problem was reproducible in master branch last week. NP

[mschop]

CVE-2018-10826

[ignacionelson]

Somehow I'm not getting your emails, nor can I see the CVE online yet.
Can you please send it to info@subwaydesign.com.ar? Sorry for this.

[mschop]

You can't see the CVE, because it's currently not published (prereserved). As soon as you fixed the security vulnerabilities I will publish it. Please don't wait too long with the fixes ;-). Normally I would give 60 days before I publish the security vulnerability.

I resend the emails to this address.

[micschk]

@mschop I appreciate that you've discovered & are trying to get a security issue fixed, and if #552 or the contents of your e-mails already addresses this, please consider the below (well-meant) suggestion invalid;
As a developer I myself have learned a lot from the work of others, also in the form of contributions/improvements to my (published) code. Therefore in the spirit of open-source maybe you could consider contributing a fix for the issue(s) you've discovered and sending a PR?
The effect of (impending) publishing of a CVE would seem to mainly add pressure for a developer who's already given away a lot of time & effort for free, and who may instead be much better helped with some solid security advise/contributions also taking into consideration #600, #602, #603, #604, #605 & #606

[ignacionelson]

Hello @micschk !! Thanks for your contribution!
I have been exchanging several emails with @mschop and a fix is already being worked on.
However PS is in the middle of a big refactoring stage and the purposed fix will be better applied at a later stage, when an appropiate container is set on the app.
Sorry that it's taking so long but the task at hand is big. I'm really enjoying the process though :)

[ignacionelson]

Also, I can honestly say that the information @mschop has been sending me turned out to be invaluable. Concepts I've never heard of that I've learned thanks to this exchange and that I'm waiting the chance to apply to PS. But as I stated before, there's a lot of code that needs to be refactored before that stage!

[mschop]

@micschk As @ignacionelson already mentioned, we discussed the issues and how to fix them via email.

CVE's are not intended to put pressure on a producer but to identify every security vulnerability. "Responsible Disclosure" is the ideal way to handle security vulnerabilities. Therefore I did not disclose the details of the vulnerability but kept the communication secret with @ignacionelson .

Ideal way is:

• Create a CVE-Id
• Contact software producer / developer
• Give 30-90 days to fix the issue
• make the details public

[micschk]

Great to hear, please consider my comment withdrawn then. Thanks!

[mschop]

@ignacionelson Is this already fixed? I would like to publish the details and close this issue.