Last Comment Bug 108516 - [security] It's possible to file a bug as somebody you're not.
: [security] It's possible to file a bug as somebody you're not.
Status: RESOLVED FIXED
applied to 2.14.1
:
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 2.15
: All All
: P1 blocker (vote)
: Bugzilla 2.16
Assigned To: Dave Miller [:justdave] (justdave@bugzilla.org)
: default-qa
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-11-05 07:30 PST by Nobody; OK to take it and work on it
Modified: 2012-12-18 20:46 PST (History)
9 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) (2.53 KB, patch)
2001-11-05 07:58 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
no flags Details | Diff | Splinter Review
Patch v2 - manually insert reporter=$::userid into the SQL query (2.62 KB, patch)
2001-11-05 08:23 PST, Dave Miller [:justdave] (justdave@bugzilla.org)
bbaetz: review+
jake: review+
Details | Diff | Splinter Review

Description Nobody; OK to take it and work on it 2001-11-05 07:30:36 PST
If you take the enter bug form and hack it to change the reporter field, you can
file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)
Comment 1 Jacob Steenhagen 2001-11-05 07:31:11 PST
BTW, that was really me filing... :)
Comment 2 Bradley Baetz (:bbaetz) 2001-11-05 07:33:10 PST
jake wanted this added to the security group.
Comment 3 Jacob Steenhagen 2001-11-05 07:34:52 PST
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it
shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
Comment 4 Bradley Baetz (:bbaetz) 2001-11-05 07:35:45 PST
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But
you all know that, right? ;)
Comment 5 Jacob Steenhagen 2001-11-05 07:48:28 PST
Ya, we've got the same deal here as for bug 108385...  :)
Comment 6 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-05 07:58:25 PST
Created attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})
Comment 7 Bradley Baetz (:bbaetz) 2001-11-05 08:16:53 PST
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})

You could just add it to the end instead (like we do for groupset and delta_ts)

r=bbaetz anyway
Comment 8 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-05 08:21:56 PST
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})

you're right, that's a better way to do it.
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-05 08:23:05 PST
Created attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query
Comment 10 Jacob Steenhagen 2001-11-05 08:55:19 PST
-> Patch Author
Comment 11 Bradley Baetz (:bbaetz) 2001-11-05 10:14:23 PST
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query

We could possibly get rid of the reporter field in enter_bug.cgi

We may want to keep it in for debugging, though

r=bbaetz
Comment 12 Jacob Steenhagen 2001-11-05 11:05:17 PST
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query

OK, it works... We probably should remove it from bug_form.cgi because:
a) it's not needed
b) It looks like a hole
But that's (probably) just one line and shouldn't hold up getting this in :)

r=jake
Comment 13 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-05 12:48:12 PST
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.36; previous revision: 1.35
Comment 14 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-11-17 00:07:00 PST
This applied to the 2.14.1 branch with no changes.

/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.34.2.1; previous revision: 1.34
Comment 15 Zach Lipton [:zach] 2001-11-17 09:21:04 PST
shouldn't this bug be closed out now?
Comment 16 Dave Miller [:justdave] (justdave@bugzilla.org) 2001-12-10 17:26:49 PST
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 17 Mike Shaver (:shaver -- probably not reading bugmail closely) 2002-01-05 16:01:59 PST
Opening security bugs for which fixes have appeared in official bugzilla
release.  As per justdave and his posse.

Note You need to log in before you can comment on or make changes to this bug.