Oops, accidentally sent that twice. Anyway, I just realised that the timestamp for editing is only accurate to a minute (from what I can see), so someone could easily write a script that automatically edits any comments by a reviewer (or just sticks by their emails and quickly edits it). So disregard my last idea.
On Tue, Jun 25, 2013 at 11:17 AM, Graydon Hoare <[email protected]> wrote: > Hi, > > Some clever folks on #rust have pointed out that there is a (somewhat) > exploitable security flaw in the way bors consumes r+ comments. > Specifically, github permits a repository owner, in some circumstances > (which we can't quite figure out) to _edit comments of other people_ on > commits in their repository. > > This means that the following attack scenario would work: > > > DrEvil: Files a PR > Reviewer: Comments "this is awful!" on PR head-commit > DrEvil: Edits comment to "r+ p=100" and lands change > > So, to work around this I'll probably teach bors to require review > comments in a different fashion, such as "r+ <sha1>" on the PR itself, or > similar. In the meantime, reviewers beware: anything you say on the > head-commit of a PR can be rewritten by the submitter into an r+, so assume > that "commenting _at all_ implies approval". > > -Graydon > ______________________________**_________________ > Rust-dev mailing list > [email protected] > https://mail.mozilla.org/**listinfo/rust-dev<https://mail.mozilla.org/listinfo/rust-dev> >
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
