Security: Able to add myself as reviewer. Is this expected?
Reported by
aj.jaswa...@gmail.com,
Sep 5
|
|||||||
Issue descriptionI could add myself as reviewer in https://chromium-review.googlesource.com/c/aosp/platform/system/connectivity/shill/+/1166222
,
Sep 5
Hi Nodir, can you please assign an owner and confirm the issue?
,
Sep 5
,
Sep 5
,
Sep 5
I am able to see list of branches at https://chromium-review.googlesource.com/admin/repos/chromiumos/platform2,branches
,
Sep 5
https://chromium-review.googlesource.com/changes/1113917/revisions/28/cherrypick seems to be working with sample payload '{"message":"temp","destination":"A_VALID_BRANCH","keep_reviewers":false}'
,
Sep 5
you can also see them in https://chromium.googlesource.com/chromiumos/platform2/+refs this is WAI. Entire chromium.googlesource.com is public.
,
Sep 5
,
Sep 5
Only concerning thing is the options for revert and reland. I've not attempted to use them.
,
Sep 5
note that these buttons won't let arbitrary users to actually revert or reland a CL. They would create a new CL scheduled for landing, but it wouldn't be landed without approvals of authority. It is spam, though.
,
Sep 5
Is there any security bug here? Or is there just work to be done on spam prevention?
,
Sep 6
Cool. Got it. Thanks.
,
Sep 6
,
Sep 6
i don't see a security bug
,
Sep 7
Okay, removing the labels, but re:comment 10, you mentioned it is spam. Is there anything to be done for that?
,
Jan 11
Setting defect without priority to Pri-2. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by aj.jaswa...@gmail.com
, Sep 5