Closed Bug 327801 Opened 18 years ago Closed 15 years ago

CGI.pl's $::buffer should contain neither Bugzilla_login nor Bugzilla_password

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.18
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Wurblzap, Unassigned)

Details

This doesn't affect HEAD because CGI.pl doesn't exist there any more. I checked with 2.20-BRANCH, and I assume 2.18-BRANCH to be affected, too.

CGI files using $::buffer may end up generating GET forms or URIs containing a user's login and password, thus potentially disclosing it in the web server's log. The fix to bug 287436 covers this only if "Bugzilla->login" happens before "require CGI.pl".

Steps to reproduce:
o Switch the requirelogin parameter on
o Bring up query.cgi and prepare a query which will result in at least one hit
o Get logged out because you're behind a rotating proxy (you can simulate by
  logging out manually in a separate window)
o Press the Search button on the query form (because you're logged out now,
  you'll be asked to log in; do it)
o Press any column header (for sorting)

Actual result:
The column header URIs contain login and password.

Expected result:
All links Bugzilla puts on a page should be stripped of authentification data.
In fact, this may affect HEAD, too, in places where $cgi->query_string() is accessed (and buffered) before Bugzilla->login happens. Both buglist.cgi and report.cgi do this, but luckily, they seem not to dole it out again (at least I couldn't make them to).
Flags: blocking2.18.6?
We're so close to release now, and this bug doesn't have a patch on it at the moment.

It sounds like we need to move Bugzilla->login before the CGI.pl requirement, if possible, and that should just fix it.

If we have a 2.18.7, I'd be totally willing to block *that* on this, but I don't want to block all our releases, which we want to start QA on in a few days, on this bug with no patch.
Flags: blocking2.18.6? → blocking2.18.6-
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
Marc, is this bug still relevant? 2.20 is no longer supported and 2.22 and newer do not have CGI.pl anymore. Also, do we have any evidence of the problem reported in comment 0?
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Yeah, it seems this one outlived itself. I'm a little worried about comment 1, though. Is there someone who has enough time at hand to look into this systematically?
I cannot reproduce in Bugzilla 3.0.8 and newer. Bugzilla 2.x is no longer supported.
Group: bugzilla-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Target Milestone: Bugzilla 2.22 → ---
You need to log in before you can comment on or make changes to this bug.