Closed Bug 108516 Opened 23 years ago Closed 23 years ago

[security] It's possible to file a bug as somebody you're not.

Categories

(Bugzilla :: Creating/Changing Bugs, defect, P1)

2.15
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: nobody, Assigned: justdave)

Details

(Whiteboard: applied to 2.14.1)

Attachments

(1 file, 1 obsolete file)

If you take the enter bug form and hack it to change the reporter field, you can file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)
BTW, that was really me filing... :)
jake wanted this added to the security group.
Group: security?
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But you all know that, right? ;)
Ya, we've got the same deal here as for bug 108385... :)
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) You could just add it to the end instead (like we do for groupset and delta_ts) r=bbaetz anyway
Attachment #56556 - Flags: review+
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) you're right, that's a better way to do it.
Attachment #56556 - Attachment is obsolete: true
Attachment #56556 - Flags: review+
-> Patch Author
Assignee: myk → justdave
Severity: normal → blocker
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query We could possibly get rid of the reporter field in enter_bug.cgi We may want to keep it in for debugging, though r=bbaetz
Attachment #56558 - Flags: review+
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query OK, it works... We probably should remove it from bug_form.cgi because: a) it's not needed b) It looks like a hole But that's (probably) just one line and shouldn't hold up getting this in :) r=jake
Attachment #56558 - Flags: review+
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.36; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 23 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: It's possible to file a bug as somebody you're not. → [security] It's possible to file a bug as somebody you're not.
This applied to the 2.14.1 branch with no changes. /cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.34.2.1; previous revision: 1.34
Whiteboard: applied to 2.14.1
shouldn't this bug be closed out now?
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is add names to the CC list, so I guess I have to make a comment. Anyhow, adding the representatives from the organizations we know of that support Bugzilla distributions so they're aware of our upcoming security release
Opening security bugs for which fixes have appeared in official bugzilla release. As per justdave and his posse.
Group: security?
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: