Closed Bug 102141 Opened 23 years ago Closed 23 years ago

[security] When changing a bug the Product: list has options the user doesn't have access to.

Categories

(Bugzilla :: Creating/Changing Bugs, defect, P1)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.14
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: george.hotelling, Assigned: george.hotelling)

References

Details

(Whiteboard: applied to 2.14.1)

Attachments

(2 files, 5 obsolete files)

Patch v4 - adds a comment I forgot. :)
2.38 KB, patch
bbaetz
: review+
caillon
: review+
Details | Diff | Splinter Review
Fix v.1 to Patch v.4
313 bytes, patch
justdave
: review+
bbaetz
: review+
Details | Diff | Splinter Review
If a bug is created in the product Foo, a user with Foo Bug Access will be able to see other products in the Product pulldown menu in show_bug.cgi. I can reproduce it by doing the following: 1. Create a user Alice who has only Foo Bugs Access, and no other permissions checked. 2. Alice submits a bug for the Foo product. 3. Alice views the bug at show_bug.cgi 4. Alice selects the Product pulldown menu (normally used to change which product a bug belongs to) and sees that products Bar and Baz also exist. Instead, Bugzilla should only display products that Alice has access to. In this case the only Foo should be displayed.
OS: Windows 2000 → OpenBSD
confirmed. nifty, we missed one. :(
Severity: normal → critical
Priority: -- → P1
Whiteboard: security
Target Milestone: --- → Bugzilla 2.16
OS: OpenBSD → All
Hardware: PC → All
I took most of the code for my patch from enter_bug.cgi. This is my first time playing with the bugzilla code so please double or triple check my work.
George, can you attach a unified version of your patch? ("cvs diff -u")
Attached patch Unified version of the patch (obsolete) — Splinter Review
Keywords: patch
We should factor out the common code. My idea: wait for the enter_bug.cgi templatisation to land and then make a patch factoring it out into some common file. Gerv
Severity: critical → blocker
Summary: When changing a bug the Product: list has options the user doesn't have access to. → [security] When changing a bug the Product: list has options the user doesn't have access to.
This patch is identical to the one above, but it applies cleanly. Not sure what was wrong with the above one, but patch complained about garbage in the file and wasn't able to determine what file was being patched.
Attachment #51521 - Attachment is obsolete: true
Attachment #51609 - Attachment is obsolete: true
Comment on attachment 58650 [details] [diff] [review] same as previous, but applies cleanly r= justdave it works as advertised, tried it on my local install.
Attachment #58650 - Flags: review+
Comment on attachment 58650 [details] [diff] [review] same as previous, but applies cleanly I'm retracting my review... scenario: User does not have access to the product the bug is in. Either the product bit on the bug was turned off, or the cc_accessible bit is on and the user was CCed on the bug. If the user looks at the bug, it's not going to show the product the bug is in, and it's also going to force the user to change the product to something he does have access to if he tries to edit the bug. It needs to add the current product to the @products list, even if the user can't see it.
Attachment #58650 - Flags: review+ → review-
This one ensures that the product being checked isn't the current product before removing it from consideration for the @product list.
Attachment #58650 - Attachment is obsolete: true
This one, besides avoiding removing the product from the list if the product the bug is already in has disallownew set, also redoes the patch to conform to style guidelines (no tabs, 4-space indent, uncuddled else)
Attachment #58658 - Attachment is obsolete: true
Attachment #58659 - Attachment is obsolete: true
Comment on attachment 58660 [details] [diff] [review] Patch v4 - adds a comment I forgot. :) r=bbaetz (finally :) I can't test this ATM, though, so the second reviewer will have to.
Attachment #58660 - Flags: review+
Comment on attachment 58660 [details] [diff] [review] Patch v4 - adds a comment I forgot. :) Code looks solid and it works great. I tested it with a user on another bug, and a user on the current bug. I also tested with disallownew set. r=caillon
Attachment #58660 - Flags: review+
Re-assigning to Dave since it's his patch.
Assignee: myk → justdave
reassigning to the original author so we have a contributor record
Assignee: justdave → george.hotelling
checked in on the trunk: /cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl new revision: 1.84; previous revision: 1.83 checked in on the 2.14.1 security release branch: /cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl new revision: 1.70.2.1; previous revision: 1.70
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: security → applied to 2.14.1
This patch created a bug when there is only one product defined. No "product" HTML form variable was set in show_bug.cgi, thus process_bug.cgi would trip around line 139 since $::FORM{'product'} woudl not equal $::oldproduct: if ( ($::FORM{'id'} && $::FORM{'product'} ne $::oldproduct) || (!$::FORM{'id'} && $::FORM{'product'} ne $::dontchange) ) { I will be attaching a small patch shortly that will fix this issue by setting a hidden form variable named "product" when only one product exists.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Patch to fix the issue when only one product is defined in Bugzilla. This patch should be applied after Patch v.4 (attachment 58660 [details] [diff] [review]).
Comment on attachment 60249 [details] [diff] [review] Fix v.1 to Patch v.4 pretty obvious :) r=justdave
Attachment #60249 - Flags: review+
Comment on attachment 60249 [details] [diff] [review] Fix v.1 to Patch v.4 r=bbaetz for 2.14.1 and trunk. Untested but obvious; justdave says he has tested, though.
Attachment #60249 - Flags: review+
Checked in on the trunk: /cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl new revision: 1.85; previous revision: 1.84 and on the 2.14.1 branch: /cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl new revision: 1.70.2.2; previous revision: 1.70.2.1
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is add names to the CC list, so I guess I have to make a comment. Anyhow, adding the representatives from the organizations we know of that support Bugzilla distributions so they're aware of our upcoming security release
*** Bug 126363 has been marked as a duplicate of this bug. ***
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: