Closed
Bug 108516
Opened 23 years ago
Closed 23 years ago
[security] It's possible to file a bug as somebody you're not.
Categories
(Bugzilla :: Creating/Changing Bugs, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: nobody, Assigned: justdave)
Details
(Whiteboard: applied to 2.14.1)
Attachments
(1 file, 1 obsolete file)
|
2.62 KB,
patch
|
bbaetz
:
review+
jacob
:
review+
|
Details | Diff | Splinter Review |
If you take the enter bug form and hack it to change the reporter field, you can file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)
|
||
Comment 1•23 years ago
|
||
BTW, that was really me filing... :)
|
|
||
Comment 3•23 years ago
|
||
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it
shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
|
||
Comment 4•23 years ago
|
||
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But you all know that, right? ;)
|
|
||
Comment 5•23 years ago
|
||
Ya, we've got the same deal here as for bug 108385... :)
|
Assignee | |
Comment 6•23 years ago
|
||
|
|
||
Comment 7•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) You could just add it to the end instead (like we do for groupset and delta_ts) r=bbaetz anyway
Attachment #56556 -
Flags: review+
|
|
Assignee | |
Comment 8•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review] Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'}) you're right, that's a better way to do it.
Attachment #56556 -
Attachment is obsolete: true
Attachment #56556 -
Flags: review+
|
|
Assignee | |
Comment 9•23 years ago
|
||
|
|
||
Comment 10•23 years ago
|
||
-> Patch Author
Assignee: myk → justdave
Severity: normal → blocker
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
|
|
||
Comment 11•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query We could possibly get rid of the reporter field in enter_bug.cgi We may want to keep it in for debugging, though r=bbaetz
Attachment #56558 -
Flags: review+
|
|
||
Comment 12•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review] Patch v2 - manually insert reporter=$::userid into the SQL query OK, it works... We probably should remove it from bug_form.cgi because: a) it's not needed b) It looks like a hole But that's (probably) just one line and shouldn't hold up getting this in :) r=jake
Attachment #56558 -
Flags: review+
|
|
Assignee | |
Comment 13•23 years ago
|
||
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.36; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 23 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: It's possible to file a bug as somebody you're not. → [security] It's possible to file a bug as somebody you're not.
|
|
Assignee | |
Comment 14•23 years ago
|
||
This applied to the 2.14.1 branch with no changes. /cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi new revision: 1.34.2.1; previous revision: 1.34
Whiteboard: applied to 2.14.1
|
||
Comment 15•23 years ago
|
||
shouldn't this bug be closed out now?
|
|
Assignee | |
Comment 16•23 years ago
|
||
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is add names to the CC list, so I guess I have to make a comment. Anyhow, adding the representatives from the organizations we know of that support Bugzilla distributions so they're aware of our upcoming security release
Opening security bugs for which fixes have appeared in official bugzilla release. As per justdave and his posse.
Group: security?
|
Reporter | |
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•