User Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20150122214805 Steps to reproduce: When I impersonate a user, I'm requested a password before beginning the session. However, even if I leave the password empty, the session is stared without any trouble. It is as if the password was not checked at all. I've seen issues in bugzilla related to the use of LDAP. In my case, I use LDAP.
I can reproduce the issue on 4.4.8 and master. 4.2.x and older are not affected.
Looks like I regressed this in Bugzilla 4.4.3 due to bug 713926.
Ah, I found what the problem is. In relogin.cgi, when we generate login_request_token, the impersonator is already logged in, and so his user ID is used as data to generate the token. But when we validate the token after the form submission, the user is not yet authenticated, and so his user ID is not yet known, and issue_hash_token() falls back to the IP address as data. This means that the generated token doesn't match the initial one, and the validation fails, and so the Bugzilla::Auth system falls back to the existing login cookie of the impersonator, which exists and is valid, which is why the password is silently ignored.
Created attachment 8564457 [details] [diff] [review] patch, v1 We must momentarily unset the user ID when generating the token as this information is not available when authenticating the user credentials.
Decreasing the severity based on the discussion which took place in bug 502649. mkanat suggested to drop this extra password check before starting a sudo session. The impersonator must already be logged in and must have the required privs, and so this regression doesn't let you abuse Bugzilla to become an impersonator if you don't already have the required privs.
Comment on attachment 8564457 [details] [diff] [review] patch, v1 Review of attachment 8564457 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git 9f76caa..10aa3f0 master -> master To ssh://email@example.com/bugzilla/bugzilla.git b4c5ed1..c473640 5.0 -> 5.0 To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git 24b471d..0a18f0f 4.4 -> 4.4