If I'm a user with the ability to edit other users then I have the ability to delete other users regardless of the allowuserdeletion parameter flag. I simply select a user, then change 'edit' to 'del' in the URL. This is due to two missing "exit;" lines in editusers.cgi. To find them do a search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer (except the definition) there should be an exit on the next line. Cheers,
Created attachment 81913 [details] [diff] [review] Patch v.1 Fix, as suggested by reporter. I can confirm the bug, and that this fix prevents it. Gerv
Comment on attachment 81913 [details] [diff] [review] Patch v.1 Yup, that's the fix. 2xr=myk
Fixed. firstname.lastname@example.org - thank you very much for reporting this :-) Checking in editusers.cgi; /cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi new revision: 1.35; previous revision: 1.34 done Gerv
This fix has been applied to b.m.o.
I just audited every instance of PutTrailer() in edit* - there are no other instances where exit; is missing. Gerv
Created attachment 83024 [details] [diff] [review] Backported patch for BUGZILLA-2_14_1-BRANCH another short one!
Comment on attachment 83024 [details] [diff] [review] Backported patch for BUGZILLA-2_14_1-BRANCH 2xr=gerv. Gerv
Checked in on BUGZILLA-2_14_1-BRANCH.
Adding representatives of the packagers to bugs that are going into the Bugzilla 2.14.2 security update
moving secure bugzilla/webtools bugs from mozilla security group to the new bugzilla security group.
2.14.2 is out, removing security group.