Last Comment Bug 102141 - [security] When changing a bug the Product: list has options the user doesn't have access to.
: [security] When changing a bug the Product: list has options the user doesn't...
Status: RESOLVED FIXED
applied to 2.14.1
:
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 2.14
: All All
: P1 blocker (vote)
: Bugzilla 2.16
Assigned To: George Hotelling
: default-qa
Mentors:
: 126363 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-09-28 07:24 PDT by George Hotelling
Modified: 2012-12-18 20:46 PST (History)
5 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
A patch that seems to have fixed the problem on my installation. (1.27 KB, patch)
2001-10-01 09:23 PDT, George Hotelling
no flags Details | Diff | Splinter Review
Unified version of the patch (2.12 KB, patch)
2001-10-01 16:17 PDT, George Hotelling
no flags Details | Diff | Splinter Review
same as previous, but applies cleanly (2.04 KB, patch)
2001-11-20 20:53 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
justdave: review-
Details | Diff | Splinter Review
Patch v2 - include current product in popup (2.18 KB, patch)
2001-11-20 21:28 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
no flags Details | Diff | Splinter Review
Patch v3 - disallow new shouldn't be checked either for current product (2.20 KB, patch)
2001-11-20 21:39 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
no flags Details | Diff | Splinter Review
Patch v4 - adds a comment I forgot. :) (2.38 KB, patch)
2001-11-20 21:40 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
bbaetz: review+
caillon: review+
Details | Diff | Splinter Review
Fix v.1 to Patch v.4 (313 bytes, patch)
2001-12-03 16:33 PST, David D. Kilzer (ddk)
justdave: review+
bbaetz: review+
Details | Diff | Splinter Review

Description George Hotelling 2001-09-28 07:24:19 PDT
If a bug is created in the product Foo, a user with Foo Bug Access will be able 
to see other products in the Product pulldown menu in show_bug.cgi.  I can 
reproduce it by doing the following:

1. Create a user Alice who has only Foo Bugs Access, and no other permissions 
checked.
2. Alice submits a bug for the Foo product.
3. Alice views the bug at show_bug.cgi
4. Alice selects the Product pulldown menu (normally used to change which 
product a bug belongs to) and sees that products Bar and Baz also exist.

Instead, Bugzilla should only display products that Alice has access to.  In 
this case the only Foo should be displayed.
Comment 1 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-09-28 07:40:33 PDT
confirmed.  nifty, we missed one. :(
Comment 2 George Hotelling 2001-10-01 09:23:17 PDT
Created attachment 51521 [details] [diff] [review]
A patch that seems to have fixed the problem on my installation.
Comment 3 George Hotelling 2001-10-01 09:26:02 PDT
I took most of the code for my patch from enter_bug.cgi.  This is my first time 
playing with the bugzilla code so please double or triple check my work.
Comment 4 Myk Melez [:myk] [@mykmelez] 2001-10-01 15:01:31 PDT
George, can you attach a unified version of your patch?  ("cvs diff -u")
Comment 5 George Hotelling 2001-10-01 16:17:40 PDT
Created attachment 51609 [details] [diff] [review]
Unified version of the patch
Comment 6 Gervase Markham [:gerv] 2001-11-11 23:14:23 PST
We should factor out the common code. 

My idea: wait for the enter_bug.cgi templatisation to land and then make a patch
factoring it out into some common file.

Gerv
Comment 7 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 20:53:33 PST
Created attachment 58650 [details] [diff] [review]
same as previous, but applies cleanly

This patch is identical to the one above, but it applies cleanly.  Not sure
what was wrong with the above one, but patch complained about garbage in the
file and wasn't able to determine what file was being patched.
Comment 8 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 20:55:05 PST
Comment on attachment 58650 [details] [diff] [review]
same as previous, but applies cleanly

r= justdave

it works as advertised, tried it on my local install.
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 21:20:40 PST
Comment on attachment 58650 [details] [diff] [review]
same as previous, but applies cleanly

I'm retracting my review...

scenario:

User does not have access to the product the bug is in.  Either the product bit
on the bug was turned off, or the cc_accessible bit is on and the user was CCed
on the bug.  If the user looks at the bug, it's not going to show the product
the bug is in, and it's also going to force the user to change the product to
something he does have access to if he tries to edit the bug.

It needs to add the current product to the @products list, even if the user
can't see it.
Comment 10 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 21:28:50 PST
Created attachment 58658 [details] [diff] [review]
Patch v2 - include current product in popup

This one ensures that the product being checked isn't the current product
before removing it from consideration for the @product list.
Comment 11 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 21:39:02 PST
Created attachment 58659 [details] [diff] [review]
Patch v3 - disallow new shouldn't be checked either for current product

This one, besides avoiding removing the product from the list if the product
the bug is already in has disallownew set, also redoes the patch to conform to
style guidelines (no tabs, 4-space indent, uncuddled else)
Comment 12 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-20 21:40:55 PST
Created attachment 58660 [details] [diff] [review]
Patch v4 - adds a comment I forgot. :)
Comment 13 Bradley Baetz (:bbaetz) 2001-11-20 21:43:32 PST
Comment on attachment 58660 [details] [diff] [review]
Patch v4 - adds a comment I forgot. :)

r=bbaetz (finally :) I can't test this ATM, though, so the second reviewer will
have to.
Comment 14 Christopher Aillon (sabbatical, not receiving bugmail) 2001-11-21 00:25:32 PST
Comment on attachment 58660 [details] [diff] [review]
Patch v4 - adds a comment I forgot. :)

Code looks solid and it works great.  I tested it with a user on another bug,
and a user on the current bug. I also tested with disallownew set.

r=caillon
Comment 15 Christopher Aillon (sabbatical, not receiving bugmail) 2001-11-21 00:30:14 PST
Re-assigning to Dave since it's his patch.
Comment 16 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-21 00:37:34 PST
reassigning to the original author so we have a contributor record
Comment 17 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-21 00:38:53 PST
checked in on the trunk:

/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v  <--  bug_form.pl
new revision: 1.84; previous revision: 1.83

checked in on the 2.14.1 security release branch:

/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v  <--  bug_form.pl
new revision: 1.70.2.1; previous revision: 1.70
Comment 18 David D. Kilzer (ddk) 2001-12-03 16:31:26 PST
This patch created a bug when there is only one product defined.  No
"product" HTML form variable was set in show_bug.cgi, thus
process_bug.cgi would trip around line 139 since $::FORM{'product'}
woudl not equal $::oldproduct:

if ( ($::FORM{'id'} && $::FORM{'product'} ne $::oldproduct)
       || (!$::FORM{'id'} && $::FORM{'product'} ne $::dontchange) ) {

I will be attaching a small patch shortly that will fix this issue by
setting a hidden form variable named "product" when only one product
exists.
Comment 19 David D. Kilzer (ddk) 2001-12-03 16:33:45 PST
Created attachment 60249 [details] [diff] [review]
Fix v.1 to Patch v.4

Patch to fix the issue when only one product is defined in Bugzilla.
This patch should be applied after Patch v.4 (attachment 58660 [details] [diff] [review]).
Comment 20 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-12-03 16:39:24 PST
Comment on attachment 60249 [details] [diff] [review]
Fix v.1 to Patch v.4

pretty obvious :)
r=justdave
Comment 21 Bradley Baetz (:bbaetz) 2001-12-09 09:05:01 PST
Comment on attachment 60249 [details] [diff] [review]
Fix v.1 to Patch v.4

r=bbaetz for 2.14.1 and trunk. Untested but obvious; justdave says he has
tested, though.
Comment 22 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-12-09 12:28:13 PST
Checked in on the trunk:

/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v  <--  bug_form.pl
new revision: 1.85; previous revision: 1.84

and on the 2.14.1 branch:

/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v  <--  bug_form.pl
new revision: 1.70.2.2; previous revision: 1.70.2.1
Comment 23 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-12-10 17:26:45 PST
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 24 Daniel Schwager 2002-02-19 11:25:28 PST
*** Bug 126363 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.