Closed Bug 162313 Opened 22 years ago Closed 22 years ago

possible security issue with useregexps

Categories

(Bugzilla :: Documentation, defect)

Product:
Bugzilla
Component:
Documentation
Version:
2.17
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: bbaetz, Assigned: bz)

Details

Groups have userregexps for the defaults to use for new users. This is overkill
(bug 162331), but its also a security hole.

Given a userregexp of |.*@foo.com|, I can match that with an address of
bbaetz@foo.com.my.server.com.au. This is because there isn't any ^ or $ wrapping
in InsertNewUser.

What are bmo's regexps set to? :) landfill's are buggy this way....

This could arguably be called a error on the part of the admin, but since we
don't give any examples.... ^ wrapping is probably going to break stuff, but $
shouldn't. Alternately, we can just have checksetup prepent ^.* and append $,
and then update the help text so that admins can see what went wrong.

I tested this locally by modifying /etc/hosts to make 127.0.0.1 an alias for
bluemartini.com.localhost, and it worked.
bmo's group regexps are ok.
This is a documentation issue.  since we document that we use Perl regexps,
people who know Perl regexps should know that you need a $ to terminate a regexp.

Unless we've previously given examples that don't include the $ we probably
shouldn't even release an advisory on this but just change the on-screen
instructions to point it out.  And maybe make a brief mention of it in the
release notes.
Target Milestone: --- → Bugzilla 2.18
cc:ing barnboy since this is a docs issue.
Hmm, I should reassign to barnboy rather than cc: him.
Assignee: myk → matthew
Component: User Accounts → Documentation
Status: NEW → ASSIGNED
Barnboy: ping
Sorry, work's had me busy the last week.  Will add this to Bugzilla Guide and
in-code documentation, will require review on code check-in.
We are starting to acculuate more items that are postential misconfigurations
rather than bugs, but could be automatically checked for.   This is happening at
the same time as we whould be expecting many more newbie admins.  Should we add
a "configcheck.cgi" that does some configuration audits?


It appears this was documented as part of bug 157756.
It's documented on the editgroups page itself as well, as of when all the groups
stuff got changed around.

I think this has been sufficiently taken care of.
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.