Package author shown in atom package list may not match actual author on atom.io - Githubissues

atom / settings-view

🔧 Edit Atom settings

MIT License

272 stars 275 forks source link

Package author shown in atom package list may not match actual author on atom.io #1118

Closed wesinator closed 5 years ago

wesinator commented 5 years ago

Prerequisites

[x] Put an X between the brackets on this line if you have done all of the following:
- Reproduced the problem in Safe Mode: http://flight-manual.atom.io/hacking-atom/sections/debugging/#using-safe-mode
- Followed all applicable steps in the debugging guide: http://flight-manual.atom.io/hacking-atom/sections/debugging/
- Checked the FAQs on the message board for common solutions: https://discuss.atom.io/c/faq
- Checked that your issue isn't already filed: https://github.com/issues?utf8=✓&q=is%3Aissue+user%3Aatom
- Checked that there is not already an Atom package that provides the described functionality: https://atom.io/packages

Description

Package author displayed based on repository in atom packages settings may not match the actual author/publisher on atom.io, can be spoofed.

Steps to Reproduce

This package - https://atom.io/packages/atom-whois View the package in atom Packages search

Expected behavior: Shows actual author of package based on atom.io author

Actual behavior: Package author is shown as being atom, presumably based on the user in the repository field.

The package repo URL was set to atom - https://github.com/giovazz89/atom-whois/pull/4

Reproduces how often: 💯

Versions

macOS

Atom    : 1.34.0
Electron: 2.0.16
Chrome  : 61.0.3163.100
Node    : 8.9.3
apm  2.1.3

lee-dohm commented 5 years ago

@Arcanemagus raised a good point that this can be considered a security issue since obviously this package wasn't published by the Atom team.