View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008011 | 10000-004: Services | Spec | public | 2022-05-25 15:24 | 2023-09-21 12:23 |
Reporter | Randy Armstrong | Assigned To | Matthias Damm | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Fixed in Version | 1.05.03 | ||||
Summary | 0008011: Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients | ||||
Description | Many servers return full stack traces in AdditionalInfo which is quite helpful for debugging connecting issues. This information could be exploited by a malicious client. The text for the AdditionalInfo should add a caveat that, by default, AdditionalInfo shall only be provided to authenticated Clients. If Servers accept all valid Certificates (like a GDS) then the AdditionalInfo shall only be provided to Clients with access to a Role that grants them some level of administrative privileges. Servers may also have a "debug mode" that is enabled in configuration that increases the detail in AdditionalInfo provided to authenticated and authenticated Clients to facilitate debugging of connection issues. The "debug mode" should never be left enabled once these issues are resolved. Servers should also log the additional info even if it is not returned to the client because it does not have sufficient rights. Text should make it clear that clients may not get AdditionalInfo even if they ask for it. | ||||
Tags | No tags attached. | ||||
Commit Version | 1.05.03 | ||||
Fix Due Date | |||||
related to | 0008012 | closed | Paul Hunkar | 10000-002: Security | Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients |
related to | 0007947 | closed | Randy Armstrong | 10000-006: Mappings | Certificate Validation are missing details about the Reason in Error Message |
|
Added the following clarification: AdditionalInfo shall only be provided to authenticated Clients. If the Server trusts all Clients, it shall limit AdditionalInfo to authenticated users. |
|
Agreed to changes edited in Dallas meeting. |
|
The AdditionalInfo is not necessarily security sensitive, providing full stack traces in it is a problem of the It makes no sense to generally prohibit the AdditionalInfo due to a implementation in a single |
|
Removed additional sentence for additionalInfo. Added following sentence to overall description for DiagnosticInfo: |
|
Agreed to changes in F2F. |
Date Modified | Username | Field | Change |
---|---|---|---|
2022-05-25 15:24 | Randy Armstrong | New Issue | |
2022-05-25 15:25 | Randy Armstrong | Issue cloned: 0008012 | |
2022-05-25 15:26 | Randy Armstrong | Description Updated | |
2022-07-05 16:37 | Jim Luth | Assigned To | => Matthias Damm |
2022-07-05 16:37 | Jim Luth | Status | new => assigned |
2022-07-05 16:37 | Jim Luth | Relationship added | related to 0008012 |
2023-03-20 05:22 | Matthias Damm | Status | assigned => resolved |
2023-03-20 05:22 | Matthias Damm | Resolution | open => fixed |
2023-03-20 05:22 | Matthias Damm | Fixed in Version | => 1.05.03 RC1 |
2023-03-20 05:22 | Matthias Damm | Note Added: 0018905 | |
2023-03-22 17:55 | Jim Luth | Relationship added | related to 0007947 |
2023-03-22 17:55 | Jim Luth | Status | resolved => closed |
2023-03-22 17:55 | Jim Luth | Note Added: 0018971 | |
2023-09-15 08:07 | Matthias Damm | Status | closed => feedback |
2023-09-15 08:07 | Matthias Damm | Resolution | fixed => reopened |
2023-09-15 08:07 | Matthias Damm | Note Added: 0019991 | |
2023-09-20 08:21 | Matthias Damm | Status | feedback => resolved |
2023-09-20 08:21 | Matthias Damm | Resolution | reopened => fixed |
2023-09-20 08:21 | Matthias Damm | Fixed in Version | 1.05.03 RC1 => 1.05.03 |
2023-09-20 08:21 | Matthias Damm | Note Added: 0020009 | |
2023-09-21 12:23 | Jim Luth | Status | resolved => closed |
2023-09-21 12:23 | Jim Luth | Commit Version | => 1.05.03 |
2023-09-21 12:23 | Jim Luth | Note Added: 0020040 |