Closed Bug 235510 Opened 20 years ago Closed 20 years ago

Password exposed in URL to chart image if login required to access a chart

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.17.6
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: justdave, Assigned: gerv)

Details

(Whiteboard: [does not affect 2.16.x] [fixed in 2.18rc1])

Attachments

(1 file)

Patch v.1
702 bytes, patch
kiko
: review+
Details | Diff | Splinter Review 
Steps to reproduce:

1) View a new series-based chart.
2) Bookmark the results page.
3) Log out of Bugzilla.
4) Access the bookmark.  You'll be prompted to log in.
5) Log in.
6) View source on the resulting chart page.

Actual results:

The login ID and password are included in the query string of the URL to the
image (thus also showing up in web server logs).

Expected results:

The login ID and password should not be included.
Hmm. If we don't do that, will charting still work for people with cookies
turned off?

Gerv

Storing the username/pw in the URL is bad.

Remind me why we can't just require cookies for this? 'privacy' is not an answer
unless you can explain exactly what bugzilla's cookies do to have privacy
concerns. Its not like cookies lack browser support.....

The cookie IP restrictions is more of an issue, though, for this.

We could do HTTP basic auth, I guess, but thats a lot less secure.
> Remind me why we can't just require cookies for this?

Because currently Bugzilla policy is that everything works (albeit less
conveniently) without cookies. If we think that in this age of decent browser
cookie control we want to relax that, then that's fine - but we need to do so
explicitly with discussion, rather than as the easy solution to a technical problem.

Gerv

It would be better to issue a one-time use token and use that in the URL than
the expose the user's password.  We would only need to do this if
Bugzilla_password is present in the query string, as otherwise we can assume
they had a cookie already when they came in.

Note that uploading an attachment is currently impossible (and always has been)
if cookies are off, so this wouldn't be an isolated problem.
Yes, I know it was our policy, I was asking why :)

A one-time use token may be useful for other reasons, though, I guess.
Just for the record, given what's at stake here, I would be much happier having
cookieless operation broken for the time being than waiting for a while for some
kind of token interface to be implemented if it's going to take longer to do
that.  This is a new feature afterall, so we're not removing existing
functionality from cookieless users.
We also need the one-time tokens for attachments-on-a-different-host.

So the long term plan is: implement one-time tokens in a generic way, such that
"the presence of a valid token in a login_token param in the URL authenticates
that single request only, and invalidates the token." That way, we can use it
for almost anything to bridge the cookie gap.

In the short term, you are right - let's break it. It's fairly easy, I think -
just filter out Bugzilla_login and Bugzilla_password when we canonicalise the URL.

/me goes to look.

Gerv
Attached patch Patch v.1Splinter Review 
Here we go.

Gerv
Comment on attachment 142418 [details] [diff] [review]
Patch v.1

bbaetz?

Gerv
Attachment #142418 - Flags: review?(bbaetz)
If you're grabbing $cgi->query_string, then just $cgi->delete() those two params
before grabbing $cgi->query_string.
bah, my mail is slow. :)  I made that comment before I realized you'd posted a
patch :)  What you did works for me :)
canonicalise_query() does all the hard work for us - check the patch :-)

Gerv
Comment on attachment 142418 [details] [diff] [review]
Patch v.1

Obvious enough. Open a follow-up bug for the token?
Attachment #142418 - Flags: review?(bbaetz) → review+
Requesting approval.

Follow-up bug 236497 filed.

Gerv
Flags: approval+
Holding approval for 2.18rc1 release and security advisory.  (it's sooner than
you think ;)

Thanks guys!
Flags: approval+ → approval?
Whiteboard: [ready for 2.18rc1]
Oops, sorry, flubbed the approval request.

Gerv
Target Milestone: --- → Bugzilla 2.18
Flags: blocking2.18+
Whiteboard: [ready for 2.18rc1] → [does not affect 2.16.x] [ready for 2.18rc1]
sooner than we think.  hah!  Live and Learn.  Well, now it's here finally.
Flags: approval? → approval+
checked in
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Whiteboard: [does not affect 2.16.x] [ready for 2.18rc1] → [does not affect 2.16.x] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: