[security] It's possible to file a bug as somebody you're not.

RESOLVED FIXED in Bugzilla 2.16

Status

()

Bugzilla
Creating/Changing Bugs
P1
blocker
RESOLVED FIXED
16 years ago
4 years ago

People

(Reporter: Nobody; OK to take it and work on it, Assigned: justdave)

Tracking

2.15
Bugzilla 2.16

Details

(Whiteboard: applied to 2.14.1)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

16 years ago
If you take the enter bug form and hack it to change the reporter field, you can
file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)

Comment 1

16 years ago
BTW, that was really me filing... :)
jake wanted this added to the security group.
Group: security?

Comment 3

16 years ago
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it
shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But
you all know that, right? ;)

Comment 5

16 years ago
Ya, we've got the same deal here as for bug 108385...  :)
Created attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})

You could just add it to the end instead (like we do for groupset and delta_ts)

r=bbaetz anyway
Attachment #56556 - Flags: review+
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})

you're right, that's a better way to do it.
Attachment #56556 - Attachment is obsolete: true
Attachment #56556 - Flags: review+
Created attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query

Comment 10

16 years ago
-> Patch Author
Assignee: myk → justdave
Severity: normal → blocker
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query

We could possibly get rid of the reporter field in enter_bug.cgi

We may want to keep it in for debugging, though

r=bbaetz
Attachment #56558 - Flags: review+

Comment 12

16 years ago
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query

OK, it works... We probably should remove it from bug_form.cgi because:
a) it's not needed
b) It looks like a hole
But that's (probably) just one line and shouldn't hold up getting this in :)

r=jake
Attachment #56558 - Flags: review+
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.36; previous revision: 1.35
Status: NEW → RESOLVED
Last Resolved: 16 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: It's possible to file a bug as somebody you're not. → [security] It's possible to file a bug as somebody you're not.
This applied to the 2.14.1 branch with no changes.

/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v  <--  post_bug.cgi
new revision: 1.34.2.1; previous revision: 1.34
Whiteboard: applied to 2.14.1

Comment 15

16 years ago
shouldn't this bug be closed out now?
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment.  Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Opening security bugs for which fixes have appeared in official bugzilla
release.  As per justdave and his posse.
Group: security?
(Reporter)

Updated

4 years ago
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.