Closed
Bug 289365
Opened 19 years ago
Closed 17 years ago
incorrect (?) group check in process_bug.cgi at lines 1464-1475
Categories
(Bugzilla :: Creating/Changing Bugs, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.0
People
(Reporter: LpSolit, Assigned: LpSolit)
References
()
Details
(Whiteboard: [blocker will fix])
my $newproduct_id = $oldhash{'product_id'}; if ((defined $::FORM{'product'}) && ($::FORM{'product'} ne $::FORM{'dontchange'})) { my $newproduct_id = get_product_id($::FORM{'product'}); } Due to the second "my" in the IF block, $newproduct_id is not updated out of the IF block when reassigning a bug to a new product. Later, we have SendSQL("SELECT id, membercontrol FROM groups LEFT JOIN group_control_map ON id = group_id AND product_id = $newproduct_id WHERE isactive != 0"); Then, group IDs and member controls are the ones of the old group instead of the new one. Either should we remove the second "my" (the one in the IF block) to update $newproduct_id to the new product ID or this IF block should be removed completely. I don't think this is exploitable though, so I don't set the security flag.
Assignee | ||
Updated•19 years ago
|
Flags: blocking2.20?
Flags: blocking2.18.1?
Target Milestone: --- → Bugzilla 2.20
Assignee | ||
Comment 1•19 years ago
|
||
(In reply to comment #0) > Then, group IDs and member controls are the ones of the old group instead of err... I meant "old product".
Comment 2•19 years ago
|
||
At first glance, this allows someone to move a bug into a product they don't have access to. 1) They'd either have to know the product existed anyway or be brute forcing names (which would make a lot of noise when they got it right) 2) They still only have access to that bug. If my analysis is correct, then this is indeed not a security issue, however it's definitely worthy of fixing. I'll defer to joel since it's his code, but the correct answer to me appears to be to remove the "my" from the one inside the if block.
Flags: blocking2.20?
Flags: blocking2.20+
Flags: blocking2.18.1?
Flags: blocking2.18.1+
Assignee | ||
Comment 3•19 years ago
|
||
Note that by removing the "my" from the IF block, we don't need line 1620 anymore: my $newproduct_id = get_product_id($::FORM{'product'}); as $newproduct_id will already be updated earlier.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Updated•19 years ago
|
Flags: blocking2.18.2?
Comment 4•19 years ago
|
||
So does that mean this isn't actually broken, but someone previously fixed it and missed the obivious?
Flags: blocking2.18.2?
Comment 5•19 years ago
|
||
Actually, this goes way back. It appears that the first section (line 1464) incorrectly but harmlessly re-applies the old product's group controls. Then, the later code (around line 1620) correctly applies the new group controls. After that, it needs a real careful round of review and testing.
Assignee | ||
Comment 6•19 years ago
|
||
Per discussion with joel in IRC, it appears that lines 1495-1538 apply to the product we are moving from and lines 1642-1750 to the product we are moving to. Then the actual code seems correct and the IF block would be useless. But joel prefers to delay any change here till we release 2.18.1 and 2.19.3. This sounds reasonable and then I ask justdave to move the blocking flag from 2.18.1 to 2.18.2. Reassigning to joel too.
Assignee: create-and-change → bugreport
Flags: blocking2.18.2?
Updated•19 years ago
|
Flags: blocking2.18.2?
Flags: blocking2.18.2+
Flags: blocking2.18.1-
Flags: blocking2.18.1+
Comment 7•19 years ago
|
||
On the premise that this is not actually broken, but is just a code correctness issue, this no longer qualifies for a branch checkin. The code may be ugly and unnecessary, but it's not broken.
Flags: blocking2.18.2+ → blocking2.18.2-
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Updated•19 years ago
|
Flags: blocking2.20+ → blocking2.20-
Assignee | ||
Comment 8•19 years ago
|
||
We should avoid changing (working) group validation routines on the 2.20 branch. Let's do it on the tip only. Retargetting to 2.22.
Severity: major → normal
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Assignee | ||
Updated•19 years ago
|
Severity: normal → minor
Target Milestone: Bugzilla 2.22 → ---
Comment 9•18 years ago
|
||
this doesn't exist any more
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Assignee | ||
Comment 10•18 years ago
|
||
This bug is still valid. We have to make sure everything is OK there. And only a part of the code has gone.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Assignee | ||
Updated•18 years ago
|
Status: REOPENED → NEW
Assignee | ||
Comment 11•17 years ago
|
||
I fixed this problem as part of bug 338796. And bug 347213 changed this part of the code completely anyway, so there is no need to worry about it anymore.
Assignee: bugreport → LpSolit
Depends on: 338796
Whiteboard: [blocker will fix]
Target Milestone: --- → Bugzilla 3.0
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago → 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•