Closed Bug 1058355 Opened 10 years ago Closed 10 years ago

bugzilla.mozilla.org leaks emails to logged out users in "Latest Activity" search URLs

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mattm, Assigned: dkl)

Details

(Keywords: sec-low)

Attachments

(1 file)

1058355_1.patch
3.39 KB, patch
glob
: review+
Details | Diff | Splinter Review 
Logged out users shouldn't be able to see emails in Bugzilla.

Viewing a user's profile page (eg, https://bugzilla.mozilla.org/user_profile?user_id=412226 ) when logged out has a "Last Activity" URL; this URL contains the user's email address.
Group: bugzilla-security
Component: Extensions: BMO → Extensions: UserProfile
Not just Last Activity:  all of the search links in the User Statistics section too.
Assignee: nobody → dkl
Status: NEW → ASSIGNED
Attached patch 1058355_1.patchSplinter Review 
rather than fix all of the other cgis that require an email such as query.cgi and request.cgi, i opted to just display read-only values for logged out users.
Attachment #8478794 - Flags: review?(glob)
Flags: sec-bounty?
Comment on attachment 8478794 [details] [diff] [review]
1058355_1.patch

Review of attachment 8478794 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob

none of the lines within IF blocks are indented correctly; fix on commit.
Attachment #8478794 - Flags: review?(glob) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   d5c1d67..fe5deaa  master -> master

downgrading priority due to the semi-public nature of email addresses on bmo.
Severity: normal → minor
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: bugzilla-security
Given the public nature of email addresses on bmo (anyone can get an account, we have query APIs that are public) this doesn't meet the criteria for the bug bounty
Flags: sec-bounty? → sec-bounty-
Keywords: sec-low
Component: Extensions: UserProfile → Extensions
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: