Closed
Bug 162313
Opened 22 years ago
Closed 22 years ago
possible security issue with useregexps
Categories
(Bugzilla :: Documentation, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: bbaetz, Assigned: bz)
Details
Groups have userregexps for the defaults to use for new users. This is overkill (bug 162331), but its also a security hole. Given a userregexp of |.*@foo.com|, I can match that with an address of bbaetz@foo.com.my.server.com.au. This is because there isn't any ^ or $ wrapping in InsertNewUser. What are bmo's regexps set to? :) landfill's are buggy this way.... This could arguably be called a error on the part of the admin, but since we don't give any examples.... ^ wrapping is probably going to break stuff, but $ shouldn't. Alternately, we can just have checksetup prepent ^.* and append $, and then update the help text so that admins can see what went wrong. I tested this locally by modifying /etc/hosts to make 127.0.0.1 an alias for bluemartini.com.localhost, and it worked.
Comment 1•22 years ago
|
||
bmo's group regexps are ok.
Comment 2•22 years ago
|
||
This is a documentation issue. since we document that we use Perl regexps, people who know Perl regexps should know that you need a $ to terminate a regexp. Unless we've previously given examples that don't include the $ we probably shouldn't even release an advisory on this but just change the on-screen instructions to point it out. And maybe make a brief mention of it in the release notes.
Updated•22 years ago
|
Target Milestone: --- → Bugzilla 2.18
Comment 3•22 years ago
|
||
cc:ing barnboy since this is a docs issue.
Comment 4•22 years ago
|
||
Hmm, I should reassign to barnboy rather than cc: him.
Assignee: myk → matthew
Updated•22 years ago
|
Component: User Accounts → Documentation
Assignee | ||
Updated•22 years ago
|
Status: NEW → ASSIGNED
Comment 5•22 years ago
|
||
Barnboy: ping
Assignee | ||
Comment 6•22 years ago
|
||
Sorry, work's had me busy the last week. Will add this to Bugzilla Guide and in-code documentation, will require review on code check-in.
Comment 7•22 years ago
|
||
We are starting to acculuate more items that are postential misconfigurations rather than bugs, but could be automatically checked for. This is happening at the same time as we whould be expecting many more newbie admins. Should we add a "configcheck.cgi" that does some configuration audits?
Comment 8•22 years ago
|
||
It appears this was documented as part of bug 157756.
Comment 9•22 years ago
|
||
It's documented on the editgroups page itself as well, as of when all the groups stuff got changed around. I think this has been sufficiently taken care of.
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•