If I'm a user with the ability to edit other users then I have the ability to delete other users regardless of the allowuserdeletion parameter flag. I simply select a user, then change 'edit' to 'del' in the URL. This is due to two missing "exit;" lines in editusers.cgi. To find them do a search for "PutTrailer" in editusers.cgi - after every occurence of PutTrailer (except the definition) there should be an exit on the next line. Cheers,
Fix, as suggested by reporter. I can confirm the bug, and that this fix prevents it. Gerv
Comment on attachment 81913 [details] [diff] [review] Patch v.1 Yup, that's the fix. 2xr=myk
Attachment #81913 - Flags: review+
Fixed. firstname.lastname@example.org - thank you very much for reporting this :-) Checking in editusers.cgi; /cvsroot/mozilla/webtools/bugzilla/editusers.cgi,v <-- editusers.cgi new revision: 1.35; previous revision: 1.34 done Gerv
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
This fix has been applied to b.m.o.
I just audited every instance of PutTrailer() in edit* - there are no other instances where exit; is missing. Gerv
Target Milestone: --- → Bugzilla 2.16
another short one!
Comment on attachment 83024 [details] [diff] [review] Backported patch for BUGZILLA-2_14_1-BRANCH 2xr=gerv. Gerv
Attachment #83024 - Flags: review+
Checked in on BUGZILLA-2_14_1-BRANCH.
Whiteboard: applied to 2.14.2
Adding representatives of the packagers to bugs that are going into the Bugzilla 2.14.2 security update
moving secure bugzilla/webtools bugs from mozilla security group to the new bugzilla security group.
Group: security? → webtools-security?
2.14.2 is out, removing security group.
You need to log in before you can comment on or make changes to this bug.