Closed
Bug 327801
Opened 18 years ago
Closed 15 years ago
CGI.pl's $::buffer should contain neither Bugzilla_login nor Bugzilla_password
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: Wurblzap, Unassigned)
Details
This doesn't affect HEAD because CGI.pl doesn't exist there any more. I checked with 2.20-BRANCH, and I assume 2.18-BRANCH to be affected, too. CGI files using $::buffer may end up generating GET forms or URIs containing a user's login and password, thus potentially disclosing it in the web server's log. The fix to bug 287436 covers this only if "Bugzilla->login" happens before "require CGI.pl". Steps to reproduce: o Switch the requirelogin parameter on o Bring up query.cgi and prepare a query which will result in at least one hit o Get logged out because you're behind a rotating proxy (you can simulate by logging out manually in a separate window) o Press the Search button on the query form (because you're logged out now, you'll be asked to log in; do it) o Press any column header (for sorting) Actual result: The column header URIs contain login and password. Expected result: All links Bugzilla puts on a page should be stripped of authentification data.
Reporter | ||
Comment 1•18 years ago
|
||
In fact, this may affect HEAD, too, in places where $cgi->query_string() is accessed (and buffered) before Bugzilla->login happens. Both buglist.cgi and report.cgi do this, but luckily, they seem not to dole it out again (at least I couldn't make them to).
Reporter | ||
Updated•18 years ago
|
Flags: blocking2.18.6?
Comment 2•18 years ago
|
||
We're so close to release now, and this bug doesn't have a patch on it at the moment. It sounds like we need to move Bugzilla->login before the CGI.pl requirement, if possible, and that should just fix it. If we have a 2.18.7, I'd be totally willing to block *that* on this, but I don't want to block all our releases, which we want to start QA on in a few days, on this bug with no patch.
Flags: blocking2.18.6? → blocking2.18.6-
Updated•17 years ago
|
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Updated•16 years ago
|
Group: bugzilla-security → webtools-security
Updated•16 years ago
|
Group: webtools-security → bugzilla-security
Comment 3•16 years ago
|
||
Marc, is this bug still relevant? 2.20 is no longer supported and 2.22 and newer do not have CGI.pl anymore. Also, do we have any evidence of the problem reported in comment 0?
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Reporter | ||
Comment 4•16 years ago
|
||
Yeah, it seems this one outlived itself. I'm a little worried about comment 1, though. Is there someone who has enough time at hand to look into this systematically?
Comment 5•15 years ago
|
||
I cannot reproduce in Bugzilla 3.0.8 and newer. Bugzilla 2.x is no longer supported.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Target Milestone: Bugzilla 2.22 → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•