On 6/27/19 6:18 PM, Howard Chu wrote:
Michael Ströder wrote:
> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>> Thanks to Ondrej, this list is a bit shorter now. :)
> But one more I'd love to see in 2.4.48:
> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
I don't believe the information disclosure issues have been
sufficiently answered there. Overall it's a bad idea and goes against
our standing policy of minimal disclosure.
Sorry, you already have the disclosure.
Citing from my old e-mail found here:
But this problem exists anyway because an attacker can probe
values by adding entries with non-unique attributes and determine
whether an attribute value exists or not by distinguishing the result
code constraintViolation(19) vs. insufficientAccessRights(50).
Even worse this even works in case the attacker does not have read