Closed
Bug 108516
Opened 23 years ago
Closed 23 years ago
[security] It's possible to file a bug as somebody you're not.
Categories
(Bugzilla :: Creating/Changing Bugs, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: nobody, Assigned: justdave)
Details
(Whiteboard: applied to 2.14.1)
Attachments
(1 file, 1 obsolete file)
2.62 KB,
patch
|
bbaetz
:
review+
jacob
:
review+
|
Details | Diff | Splinter Review |
If you take the enter bug form and hack it to change the reporter field, you can
file a bug as anybody you want... to prove my point, I'm gonna file as nobody :)
Comment 1•23 years ago
|
||
BTW, that was really me filing... :)
Comment 3•23 years ago
|
||
$::FORM{'reporter'} is the value that's passed from enter_bug to post_bug... it
shouldn't be passed as a form element and instead be "detected" by post_bug.cgi
Comment 4•23 years ago
|
||
Oh, and no mail will be sent til the bmo upgrade to people not in the group. But
you all know that, right? ;)
Comment 5•23 years ago
|
||
Ya, we've got the same deal here as for bug 108385... :)
Assignee | ||
Comment 6•23 years ago
|
||
Comment 7•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})
You could just add it to the end instead (like we do for groupset and delta_ts)
r=bbaetz anyway
Attachment #56556 -
Flags: review+
Assignee | ||
Comment 8•23 years ago
|
||
Comment on attachment 56556 [details] [diff] [review]
Patch v1 - use $::userid instead of DBIdToNameAndCheck($::FORM{'reporter'})
you're right, that's a better way to do it.
Attachment #56556 -
Attachment is obsolete: true
Attachment #56556 -
Flags: review+
Assignee | ||
Comment 9•23 years ago
|
||
Comment 10•23 years ago
|
||
-> Patch Author
Assignee: myk → justdave
Severity: normal → blocker
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment 11•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query
We could possibly get rid of the reporter field in enter_bug.cgi
We may want to keep it in for debugging, though
r=bbaetz
Attachment #56558 -
Flags: review+
Comment 12•23 years ago
|
||
Comment on attachment 56558 [details] [diff] [review]
Patch v2 - manually insert reporter=$::userid into the SQL query
OK, it works... We probably should remove it from bug_form.cgi because:
a) it's not needed
b) It looks like a hole
But that's (probably) just one line and shouldn't hold up getting this in :)
r=jake
Attachment #56558 -
Flags: review+
Assignee | ||
Comment 13•23 years ago
|
||
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi
new revision: 1.36; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 23 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: It's possible to file a bug as somebody you're not. → [security] It's possible to file a bug as somebody you're not.
Assignee | ||
Comment 14•23 years ago
|
||
This applied to the 2.14.1 branch with no changes.
/cvsroot/mozilla/webtools/bugzilla/post_bug.cgi,v <-- post_bug.cgi
new revision: 1.34.2.1; previous revision: 1.34
Whiteboard: applied to 2.14.1
Comment 15•23 years ago
|
||
shouldn't this bug be closed out now?
Assignee | ||
Comment 16•23 years ago
|
||
Hmm, it seems the bulk change thinks I'm not changing anything if all I do is
add names to the CC list, so I guess I have to make a comment. Anyhow, adding
the representatives from the organizations we know of that support Bugzilla
distributions so they're aware of our upcoming security release
Comment 17•23 years ago
|
||
Opening security bugs for which fixes have appeared in official bugzilla
release. As per justdave and his posse.
Group: security?
Reporter | ||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•