Closed Bug 1151290 Opened 10 years ago Closed 10 years ago

It is possible to tell if someone made a private comment on a bug even if you are not in the insidergroup

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: mail, Assigned: mail)

Details

Attachments

(3 files, 1 obsolete file)

bug1151290-42-v1.patch
1.08 KB, patch
dkl
: review+
Details | Diff | Splinter Review
bug1151290-v1.patch
1.08 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for v4.0
1.56 KB, patch
dkl
: review+
Details | Diff | Splinter Review
Steps to reproduce: 1) As a user in the insiders group, make a private comment on a bug 2) As a user not in the insiders group, do a boolean search on 'Comments' 'changed by' '<email address in above step>' Actual result: The bug in step 1 is returned Expected result: The bug in step 1 is not returned
Attached patch bug1151290-40-v1.patch (obsolete) — Splinter Review
Patch for v4.0. This version also does not hide private comments when using the changed after / changed before operators.
Attachment #8588412 - Flags: review?(dkl)
Patch for v4.2
Attachment #8588413 - Flags: review?(dkl)
Patch for 4.4, 5.0 and trunk branches (the first two patch cleanly with offsets)
Attachment #8588414 - Flags: review?(dkl)
You cannot access the content of the comment itself, so this is not a major issue.
Severity: major → normal
It's always been possible to tell that private comments exist, because of the comment numbering scheme. This also leaks who made it, which is not a massive data leak. Still, we should fix it. Gerv
Comment on attachment 8588412 [details] [diff] [review] bug1151290-40-v1.patch Review of attachment 8588412 [details] [diff] [review]: ----------------------------------------------------------------- Can't locate object method "_user" via package "Bugzilla::Search" at Bugzilla/Search.pm line 1609. at Bugzilla/Search.pm line 1609. Bugzilla::Search::_long_desc_changedby('Bugzilla::Search=HASH(0x3069e58)', 'multi_fields', 'ARRAY(0x27401b8)', 'sequence', 'SCALAR(0x276e590)', 'wherepart', 'ARRAY(0x273ff60)', 'having', 'ARRAY(0x273ff90)', ...) called at Bugzilla/Search.pm line 1165 Bugzilla::Search::do_search_function('Bugzilla::Search=HASH(0x3069e58)', 'HASH(0x2f1a4b0)') called at Bugzilla/Search.pm line 968 Bugzilla::Search::init('Bugzilla::Search=HASH(0x3069e58)') called at Bugzilla/Search.pm line 414 Bugzilla::Search::new('Bugzilla::Search', 'fields', 'ARRAY(0x2b41440)', 'params', 'Bugzilla::CGI=HASH(0x2e8eb88)', 'order', 'ARRAY(0x2b4db10)') called at /home/bugzilla/devel/htdocs/1151290/buglist.cgi line 832
Attachment #8588412 - Flags: review?(dkl) → review-
Comment on attachment 8588413 [details] [diff] [review] bug1151290-42-v1.patch Review of attachment 8588413 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8588413 - Flags: review?(dkl) → review+
Comment on attachment 8588414 [details] [diff] [review] bug1151290-v1.patch Review of attachment 8588414 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8588414 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval5.0?
Flags: approval4.4?
Flags: approval4.2?
Attached patch patch for v4.0Splinter Review
Attachment #8588412 - Attachment is obsolete: true
Attachment #8591286 - Flags: review?(dkl)
Comment on attachment 8591286 [details] [diff] [review] patch for v4.0 Review of attachment 8591286 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl
Attachment #8591286 - Flags: review?(dkl) → review+
Flags: approval4.0?
Flags: approval?
Flags: approval5.0?
Flags: approval5.0+
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Target Milestone: --- → Bugzilla 4.0
dveditz, we feel that is more of a 'security enhancement' than a critical issue. As it only gives away the existence of a private comment and not the actual content. Do you feel it warrants a CVE ID before we release this? Thanks dkl
Flags: needinfo?(dveditz)
We already leaked the existence of the private comments as Gerv noted. This bug doesn't really leak the name of the commenter unless that is the only comment they made in the bug, or if you do a brute-force search of names against the time-range bounded by the previous and next comments in that bug. I don't think this rates a CVE.
Flags: needinfo?(dveditz)
Went ahead and committed this as want included in 4.4.9 and 5.0rc3 which are being put together now. To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 3961356..877ef5c 4.0 -> 4.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 6cfdba0..feca0d8 4.2 -> 4.2 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git fc4a6dd..d445f63 4.4 -> 4.4 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 74d7fca..b09ffb6 5.0 -> 5.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 0bcbc0f..802a5cc master -> master dkl
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Summary: It is possible to tell if someone made a private comment on a bug even if you are not an 'insider' → It is possible to tell if someone made a private comment on a bug even if you are not in the insidergroup
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: