Closed
Bug 108516
Opened 23 years ago
Closed 23 years ago
[security] It's possible to file a bug as somebody you're not.
Categories
(Bugzilla :: Creating/Changing Bugs, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: nobody, Assigned: justdave)
Details
(Whiteboard: applied to 2.14.1)
Attachments
(1 file, 1 obsolete file)
2.62 KB,
patch
|
bbaetz
:
review+
jacob
:
review+
|
Details | Diff | Splinter Review |
If you take the enter bug form and hack it to change the reporter field, you can file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)
Comment 1•23 years ago
|
||
BTW, that was really me filing... :)
Comment 3•23 years ago
|
||
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
Comment 4•23 years ago
|
||
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But you all know that, right? ;)
Comment 5•23 years ago
|
||
Ya, we've got the same deal here as for bug 108385... :)
Assignee | ||
Comment 6•23 years ago
|
||
Comment 7•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) You could just add it to the end instead (like we do for groupset and delta_ts) r=bbaetz anyway
Attachment #56556 -
Flags: review+
Assignee | ||
Comment 8•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) you're right, that's a better way to do it.
Attachment #56556 -
Attachment is obsolete: true
Attachment #56556 -
Flags: review+
Assignee | ||
Comment 9•23 years ago
|
||
Comment 10•23 years ago
|
||
-> Patch Author
Assignee: myk → justdave
Severity: normal → blocker
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment 11•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query We could possibly get rid of the reporter field in enter_bug.cgi We may want to keep it in for debugging, though r=bbaetz
Attachment #56558 -
Flags: review+
Comment 12•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query OK, it works... We probably should remove it from bug_form.cgi because: a) it's not needed b) It looks like a hole But that's (probably) just one line and shouldn't hold up getting this in :) r=jake
Attachment #56558 -
Flags: review+
Assignee | ||
Comment 13•23 years ago
|
||
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.36; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 23 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: It's possible to file a bug as somebody you're not. → [security] It's possible to file a bug as somebody you're not.
Assignee | ||
Comment 14•23 years ago
|
||
This applied to the 2.14.1 branch with no changes. /cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.34.2.1; previous revision: 1.34
Whiteboard: applied to 2.14.1
Comment 15•23 years ago
|
||
shouldn't this bug be closed out now?
Assignee | ||
Comment 16•23 years ago
|
||
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is add names to the CC list, so I guess I have to make a comment. Anyhow, adding the representatives from the organizations we know of that support Bugzilla distributions so they're aware of our upcoming security release
Comment 17•23 years ago
|
||
Opening security bugs for which fixes have appeared in official bugzilla release. As per justdave and his posse.
Group: security?
Reporter | ||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•