Closed Bug 179510 Opened 22 years ago Closed 21 years ago

Request notifications dont take group restrictions fully into account

Categories

(Bugzilla :: Attachments & Requests, defect)

2.17.1
defect
Not set
minor

Tracking

()

RESOLVED FIXED
Bugzilla 2.18

People

(Reporter: bugreport, Assigned: myk)

References

Details

(Whiteboard: [fixed in 2.17.4])

Attachments

(1 file, 7 obsolete files)

This is a "minor" security issue.

When a security bug (or a private attachment) is flagged with a request and that
request is copied automatically to a list (such as review requests going to
reviewers), the notification of the request does not take into account the
privileges of the recipient.

To further complicate things, the requestee may not have access to the very
thing they are being requested to act upon.

How do we want this to work?
- we shouldn't cc the request cclist unless the bug has no restrictions (or
maybe we can try to find an account, and use those)?

We should always mail the requestee, but warn when making a request that the
person can't see the bug, asking for the user to add the person tho the cclist,
or sometihng,
Summary: Requext notofications dont take group restrictions fully into account → Request notofications dont take group restrictions fully into account
Blocks: rt-clean-up
Actually, we could just call CanSeeBug() for each member of CClist just as
processmail does.
No, we can't - the cclist is a comma separated string; we don't have accounts
for that.
This also leaks the summary, which people aren't going to want for security bugs
sent to the reviewers list.

So hows this:

- When requesting a bug from a particular person, if they can't see the
attachment (not the bug; think insiders here), then we should have an
intermediate confirmation screen, giving the option (ie checkbox) of adding to
the cclist (if cclist_accessible is true). This should be done for each person
we're requesting from.

If cclist_accessible is not on, then we warn about that, but don't give an
option to automagically set it.

- When ccing to a list, if we can't find the user, then consider them as being
in no groups. Otherwise, just don't send the mail. There should be no prompt in
this case.
Summary: Request notofications dont take group restrictions fully into account → Request notifications dont take group restrictions fully into account
Target Milestone: --- → Bugzilla 2.18
I think this can be kept simple....

Drop anyone on the flag's CC list that lacks the group permission for the bug or
the attachment.

Always send the notice to the requestee
(to clarify comment 5)
CC list members without accounts should be treated as bbaetz suggests, no access
to any groups.
Attached patch work in progress: half a patch (obsolete) — Splinter Review
Here's a patch that throws a (nonexistent) error if the requestee is
unauthorized to see the bug.  Comments, suggestions, and help are all welcome.
You've got the 'pending' => '?' patch here, at least, but its more the cc list
which is the interesting part of this bug.
Before the CanSeeBug() is called, we need to make sure that ConfirmGroup() gets
called.  (For all the users other than the logged-in user)

If it is likely that the same user would also be on a CC list for the bug
itself, then we should plan on keeping a recird that ConfirmGroup() has already
been called for the other users.  This will help once processmail becomes a module.

We have a security release to the 2.17 branch coming up really shortly...  now
would be a good time to fix this so it can be included.
I think the minimal thing to do here is take the existing patch, add to it a
permissions check for cc: list addresses, and silently remove those that don't
have an account or whose account doesn't have permissions.  I'll do that Sunday
or Monday, and that'll take care of the security bug.  Then we can leave this
bug open or file a new one on making it work well.
Attachment #107395 - Attachment is obsolete: true
Attachment #119137 - Attachment is obsolete: true
Attached patch patch v1: implementation (obsolete) — Splinter Review
This checks and removes flag cc:s and throws an intelligible (although crappy)
error message if the user requests a flag from someone who can't see the bug.
Attachment #119249 - Attachment is obsolete: true
Attachment #119528 - Flags: review?(justdave)
Comment on attachment 119528 [details] [diff] [review]
patch v1: implementation

Saturday wait
And sunday always comes too late
But friday never hesitate...
Attachment #119528 - Flags: review?(bbaetz)
Comment on attachment 119528 [details] [diff] [review]
patch v1: implementation

>Index: attachment.cgi

>+                  || &::ThrowUserError("flag_requestee_unauthorized",

For ThrowUserError, you can now |use Bugzilla::Error|, and drop the &::.

>+    &::SendSQL("SELECT    1, short_desc, product_id, component_id,
>+                          SUM(bug_group_map.group_id)

COUNT(), not SUM - its marginally cheaper. What we really want is an EXISTS
subselect, but....

>+    # If the target bug is restricted to one or more groups, then we need
>+    # to make sure we don't send email about it to unauthorized users
>+    # on the request type's CC: list, so we have to trawl the list for users
>+    # not on in those groups or email addresses that don't have an account.
>+    if ($flag->{'target'}->{'bug'}->{'restricted'}) {
>+        my @new_cc_list;
>+        foreach my $cc (split(/[, ]+/, $flag->{'type'}->{'cc_list'})) {
>+            my $user_id = &::DBname_to_id($cc) || next;
>+            &::ConfirmGroup($user_id);

This would all be a lot easier with Bugzilla::User. I should probably finish
that patch off...

>+            push(@new_cc_list, $cc)
>+              if &::CanSeeBug($flag->{'target'}->{'bug'}->{'id'}, $user_id);

Is there a way of testing multiple people for CanSeeBug in one go? That would
be a lot quicker. I know how to do it given subselects and MINUS, but I'm not
sure if theres an efficent way without it. I also don't know a nice way to do
it given the , separated stuff we have.

>+sub privileges {

Hmm. You know, I'd rather that you didn't do this, and waited for my user.pm
patch to go in. OTOH, you don't actually appear to use this sub anywhere, so
just drop it.

Do you need to handle private attachments here, or does somewhere else do that?

OK, now let me go and test.
Comment on attachment 119528 [details] [diff] [review]
patch v1: implementation


>Index: template/en/default/global/user-error.html.tmpl

>+  [% ELSIF error == "flag_requestee_unauthorized" %]
>+    [% title = "Flag Requestee Not Authorized" %]
>+
>+    You asked [% requestee.identity FILTER html %] for 
>+    [% flag_type.name FILTER html %], but bug [% bug_id %] has been restricted 
>+    to users in certain groups, and that user isn't in all the groups 
>+    to which the bug has been restricted.  Please choose someone else to ask 
>+    or go back and add that user to the CC: list for the bug (making sure 
>+    users on the bug's CC: list are able to access it).

There should probably be <code></code> arround some stuff here, too

Anyway, this dies when I try to add teh patch flag to a bug, because
bug_group_map isn't locked in GetBug. I _hate_ this behaviour of mysql.

Is Bug.pm lightweight enough now? (Not that that would help the locking issue,
mind you)
Attachment #119528 - Flags: review?(bbaetz) → review-
Comment on attachment 119528 [details] [diff] [review]
patch v1: implementation

Also fails if I don't put any name in the field when requesting a flag	which
is specifically requestable.
Comment on attachment 119528 [details] [diff] [review]
patch v1: implementation

... in fact, all attachment actions fail.
Attached patch patch v2: fixes bbaetz' issues (obsolete) — Splinter Review
>For ThrowUserError, you can now |use Bugzilla::Error|, and drop the &::.

Ok, done for new throws.


>COUNT(), not SUM - its marginally cheaper.

Done.


>Is there a way of testing multiple people for CanSeeBug in one go?

Not at first glance anyway, but the number of addresses on a flag type's CC:
list is likely to be small; it can always be an alias that explodes to multiple
users, after all.


>Hmm. You know, I'd rather that you didn't do this, and waited for my user.pm
>patch to go in. OTOH, you don't actually appear to use this sub anywhere, so
>just drop it.

Done.


>Do you need to handle private attachments here, or does somewhere else do
that?

No, I need to handle them.  Done.


>There should probably be <code></code> arround some stuff here, too

Done.


>Anyway, this dies when I try to add teh patch flag to a bug, because
>bug_group_map isn't locked in GetBug. I _hate_ this behaviour of mysql.

Yuck.  Fixed.


>Is Bug.pm lightweight enough now? (Not that that would help the locking issue,

>mind you)

Not sure, but let's keep this patch minimal, to reduce risk and get it done
quicker, as it's wanted for the security update.


>Also fails if I don't put any name in the field when requesting a flag which
>is specifically requestable.

>... in fact, all attachment actions fail.

All problems have been fixed as far as I can tell.


I also removed the pending fix; I'll attach that to the relevant bug instead.
Attachment #119528 - Attachment is obsolete: true
Attachment #119528 - Flags: review?(justdave)
Attachment #119629 - Flags: review?(bbaetz)
Comment on attachment 119629 [details] [diff] [review]
patch v2: fixes bbaetz' issues

You've reverted a whole set of my ThrowUserError changes in proces_bug.

trim isn't |undef| safe on semi-purpose, I believe - all operations are not
defined, baisclaly.

Whats the CanSeeBug comment all about? Isn't that to do with that other bug?
Attachment #119629 - Flags: review?(bbaetz) → review-
Attached patch patch v3: oops fixed (obsolete) — Splinter Review
>You've reverted a whole set of my ThrowUserError changes in proces_bug.

Urk. How did I miss that?  Fixed.  Strange that CVS made it happen, however. 
Somehow when I CVS updated I didn't get your changes, but the version flag got
updated to the latest version, so it looked like I was backing your changes
out.

>trim isn't |undef| safe on semi-purpose, I believe - all operations are not
>defined, baisclaly.

The only thing my change does is prevent warnings from being printed to the web
server error log about "Use of uninitialized value in substitution".  People
rarely look at their web server's error log unless there's an actual error, at
which point lots of warning messages is just a distraction, so the current
behavior is not that great.

So, we have two alternatives to the current behavior: throw an error when trim
gets an uninitialized string, or deal with it somehow without throwing an error
or a warning.  I'm ok with either, but I think that trim is the kind of
function it would be useful to be able to call casually, f.e. in this patch
where I use "trim(<form-field>)" without checking to see if <form-field> exists
first.

>Whats the CanSeeBug comment all about? Isn't that to do with that other bug?

Yeah.  I thought it would be useful to state, but it isn't necessary; removed.
Attachment #119629 - Attachment is obsolete: true
Comment on attachment 119707 [details] [diff] [review]
patch v3: oops fixed

Review requested, but here's a potential problem:

attachment.cgi and process_bug.cgi lock a bunch of tables and then call
Flag::process, which calls ::create, ::modify, and ::clear, which call
::notify, which calls ConfirmGroup, which calls DeriveGroup, which locks a few
tables, killing the previous locks.  Another reason to fix bug 200174, although
there's probably a workaround here somewhere.
Attachment #119707 - Flags: review?(bbaetz)
The 'workarround' is to not lock tables, but to use transactions :) This is just
going to keep happening as we modularise and abstract stuff.

Can't we just UNLOCK specific tables, or something?
I *think* you can issue another LOCK TABLES statement with a subset of the
tables that were originally locked.  This needs to be done with care (run-time
check?) because of the risk that a subsequent lock is not a true subset of the
original lock as this has potential to cause very intermittent deadlocks.
Re comment 23 - does that mean that attachment.cgi holds table locks whilst it
sends mail??

Anywa, the fix would be to not unlock the tables if we've already locked stuff.
We're going to have to have a 'lock' abstraction UI anyway, for cross db
support, and that can easily hold a boolean flag...
Blocks: 190911
>Re comment 23 - does that mean that attachment.cgi holds table locks whilst it
>sends mail??

In general, no, but when it comes to flags, yes.
This isn't making the 2.17.4 train unless it gets resolved in the next 24 hours.
No longer blocks: 190911
Whiteboard: [wanted for 2.17.5]
Attached patch patch v4: fixes locking problem (obsolete) — Splinter Review
Here's a fix for the locking problem.  It's a hack, but it'll work until we can
switch to transactions.  Basically I just pass a flag telling DeriveGroups that
we've already locked tables, and then DeriveGroups doesn't try to lock them
itself.  I also modified the actual lock statements to comply with the locks
DeriveGroups wants.
Attachment #119707 - Attachment is obsolete: true
Attachment #121331 - Flags: review?(bbaetz)
Attachment #121331 - Flags: review?(justdave)
Attachment #119707 - Flags: review?(bbaetz)
Comment on attachment 121331 [details] [diff] [review]
patch v4: fixes locking problem

This looks fine (for a 'mysql sucks' defn of fine) from a _very_ quick glance
through. I'm not really able to spend time on bugzilla tonight, though, so if
we want this soon someone else should look at it. Late Thursday US time is
probably the earliest, although maybe tomorrow. Sorry.
Comment on attachment 121331 [details] [diff] [review]
patch v4: fixes locking problem

Ok: since we're in a hurry, I kinda got the 30,000 feet view of what this patch
is doing; it looks good, and that majority of the stuff below is (heavy)
"nits"... "serious suggestions," if you will.

Because we're trying to release, r=preed, but please consider fixing this stuff
below before it goes in.

> sub GetSelectableProducts {
>-    my $query = "SELECT name " .
>+    my ($by_id) = @_;
>+    my $query = "SELECT " . ($by_id ? "id, " : "") . "name " .

This is complicated, hard to read, and prone to errors in the quoting.

How about:

my $extraSql = ""
$extraSql = "id, " if ($by_id);

my $query = "SELECT $extraSql name " .

I don't care what the variable is named, but the inline expression evaluation
with all the quotation marks... ewww...

>+    foreach my $table (@tables) {
>+        # Why oh why can't we standardize on these names?!?

Can we get a bug filed on this if it's that important (and I agree that it is)?

Can you put a quick comment in about why we have to check if we're locked now?
>+    SendSQL("LOCK TABLES profiles WRITE, user_group_map WRITE, group_group_map READ, groups READ")
>+      unless $locked;

>+        # Make sure the requestee is authorized to access the bug.
>+        # (and attachment, if this installation is using the "insider group"
>+        # feature and the attachment is marked private).
>+        if ($status eq '?'
>+            && $flag->{type}->{is_requesteeble}
>+            && trim($data->{"requestee-$id"}))

Please pick a consistant quoting style. Above, you seem to use ->{'foo'} or
->{"bar"}, but here, you don't.

>+                # We know the requestee exists because we ran
>+                # Bugzilla::User::match_field before getting here.
>+                # ConfirmGroup makes sure their group settings
>+                # are up-to-date or calls DeriveGroups to update them.
>+                &::ConfirmGroup($requestee_id, 1);

Can you add a comment about what the 1 is about; that, or make a #define (or
the perl equivalent) called $LOCK_TABLE or $TABLE_ALREADY_LOCKED or whatever
that equals 1, so it's clear that that's all about.

>+                                     attach_id =>
>+                                       $flag->{target}->{attachment}->{id} });

Quoting again.

>+                if ($flag->{target}->{attachment}->{exists}

Quoting.
Attachment #121331 - Flags: review+
The names are different because components is the only one to have been updated
so far to use ids.

(The others are likely to become custfields at some point, too)

Also, remove that pending/pend change which sunck in from an unrelated bug. /me
goes to test.
>This is complicated, hard to read, and prone to errors in the quoting.
>How about: ...

Eww, but ok, I did:    my $extra_sql = $by_id ? "id, " : "";

>Can we get a bug filed on this if it's that important (and I agree that it
is)?

Comment added to bug 200837.

>Can you put a quick comment in about why we have to check if we're locked now?


Done.

>Please pick a consistant quoting style.

Ok, I pick quoteless.

>Above, you seem to use ->{'foo'} or ->{"bar"}, but here, you don't.

Well, I generally only use double quotes when variables need interpolating. 
Otherwise I choose quoteless, although I previously used single quotes, so
those are still prevalent in the code.

>Can you add a comment about what the 1 is about; that, or make a #define (or
the perl equivalent)

Ok, made a constant called TABLES_ALREADY_LOCKED.  Also, removed the argument
where it wasn't needed (i.e. in calls from validate, which is called outside of
any table locks).

>Also, remove that pending/pend change which sunck in from an unrelated bug.

Done.
Attachment #121331 - Attachment is obsolete: true
Attachment #121331 - Flags: review?(justdave)
Attachment #121331 - Flags: review?(bbaetz)
Attachment #121606 - Flags: review?(bbaetz)
Comment on attachment 121606 [details] [diff] [review]
patch v5: review fixes

r=bbaetz, but please get a second review.

Also, please file a bug on that issue with invalid login names not generating
an error from match_user.
Attachment #121606 - Flags: review?(bbaetz)
Attachment #121606 - Flags: review?
Attachment #121606 - Flags: review+
Attachment #121606 - Flags: review? → review?(justdave)
Comment on attachment 121606 [details] [diff] [review]
patch v5: review fixes

My biggest nits were clobbered... carry that r=preed forward!
Attachment #121606 - Flags: review?(justdave)
Flags: approval+
Checking in Attachment.pm;
/cvsroot/mozilla/webtools/bugzilla/Attachment.pm,v  <--  Attachment.pm
new revision: 1.14; previous revision: 1.13
done
Checking in attachment.cgi;
/cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v  <--  attachment.cgi
new revision: 1.40; previous revision: 1.39
done
Checking in globals.pl;
/cvsroot/mozilla/webtools/bugzilla/globals.pl,v  <--  globals.pl
new revision: 1.237; previous revision: 1.236
done
Checking in process_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v  <--  process_bug.cgi
new revision: 1.183; previous revision: 1.182
done
Checking in Bugzilla/Flag.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Flag.pm,v  <--  Flag.pm
new revision: 1.10; previous revision: 1.9
done
Checking in Bugzilla/FlagType.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/FlagType.pm,v  <--  FlagType.pm
new revision: 1.2; previous revision: 1.1
done
Checking in Bugzilla/Util.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Util.pm,v  <--  Util.pm
new revision: 1.10; previous revision: 1.9
done
Checking in template/en/default/global/user-error.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/global/user-error.html.tmpl,v
 <--  user-error.html.tmpl
new revision: 1.34; previous revision: 1.33
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [wanted for 2.17.5] → [fixed in 2.17.4]
Security Advisory has been posted, removing security group
Group: webtools-security
Resecuring so I can test application of this patch on b.m.o.
Group: webtools-security
Comment on attachment 121606 [details] [diff] [review]
patch v5: review fixes

test of this patch on b.m.o: this is the unpatched version
Attachment #121606 - Flags: review?(myk)
Comment on attachment 121606 [details] [diff] [review]
patch v5: review fixes

test of this patch on b.m.o: this is the patched version
Attachment #121606 - Flags: review?(myk)
Attachment #121606 - Flags: review?(myk)
Group: webtools-security
Attachment #121606 - Flags: review?(myk)
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: