initial CC list not checked against selected groups




3 years ago
3 years ago


(Reporter: jfearn, Unassigned)




(1 attachment)



3 years ago
Created attachment 8678681 [details] [diff] [review]
filter cc when setting component

Description of problem:

When creating new bugs, BZ checks if users in the initial CC list are members of selected groups.  Those who are not member of any selected group are not CCed on the newly created bug.

However, the same check is not done when moving bugs between components.  That can lead to automatic CCing of folks who should not have access.

Not 100% sure this is a security bug.
You mean moving between products?  The security controls aren't component-specific.

But yeah, this is probably intentional.  If they're CCed on the bug already at that point, they already know about the bug, so there's not much point in automatically removing them.  If it was a mistake, the damage has already been done at that point, and you might as well either decide to intentionally leave them in on it or manually take them off and deal with the fallout.
Oh, I should have looked at the patch first, that clarifies things.  You mean it's adding the new default CCs for the destination component with a non-product specific security group set...

Indeed, if we check that on bug filing we ought to do it when moving as well.
This is a tough call whether it's a security issue or not.  One could say that if they were configured by an admin to be a default CC on a component, that they should be able to see anything new in that component, whether it's in a group or not, by virtue of being placed in the component that an admin configured them to watch.

On the other hand, there's the matter of consistency, and if we were already excluding them when filing a new bug, then we should be excluding them when moving as well.

Comment 4

3 years ago
I don't see this behavior. Bugzilla doesn't exclude anyone from the default CC list on bug creation. This is what I expected before I read your bug. And this matches what we discussed in bug 457697.

IMO, this is WONTFIX. If an admin puts a user there, there is a reason for this. If he didn't want that powerless user to be CC'ed to security bugs, then he would have asked him to simply watch the component, so that he doesn't get bugmails from security bugs.

Comment 5

3 years ago
I was right, _check_cc() does:

    # Enforce Default CC
    $cc_ids{$_->id} = 1 foreach (@{$component->initial_cc});

"enforce" as in "mandatory"/"in all cases". :) So the behavior is consistent. I see no reason to change that, and this would break existing installations relying on this behavior.
Group: bugzilla-security
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.