possible security issue with useregexps

RESOLVED FIXED in Bugzilla 2.18



16 years ago
6 years ago


(Reporter: bbaetz, Assigned: Matthew Barnson)


Bugzilla 2.18




16 years ago
Groups have userregexps for the defaults to use for new users. This is overkill
(bug 162331), but its also a security hole.

Given a userregexp of |.*@foo.com|, I can match that with an address of
bbaetz@foo.com.my.server.com.au. This is because there isn't any ^ or $ wrapping
in InsertNewUser.

What are bmo's regexps set to? :) landfill's are buggy this way....

This could arguably be called a error on the part of the admin, but since we
don't give any examples.... ^ wrapping is probably going to break stuff, but $
shouldn't. Alternately, we can just have checksetup prepent ^.* and append $,
and then update the help text so that admins can see what went wrong.

I tested this locally by modifying /etc/hosts to make an alias for
bluemartini.com.localhost, and it worked.

Comment 1

16 years ago
bmo's group regexps are ok.
This is a documentation issue.  since we document that we use Perl regexps,
people who know Perl regexps should know that you need a $ to terminate a regexp.

Unless we've previously given examples that don't include the $ we probably
shouldn't even release an advisory on this but just change the on-screen
instructions to point it out.  And maybe make a brief mention of it in the
release notes.
Target Milestone: --- → Bugzilla 2.18
cc:ing barnboy since this is a docs issue.
Hmm, I should reassign to barnboy rather than cc: him.
Assignee: myk → matthew
Component: User Accounts → Documentation


16 years ago

Comment 6

16 years ago
Sorry, work's had me busy the last week.  Will add this to Bugzilla Guide and
in-code documentation, will require review on code check-in.

Comment 7

16 years ago
We are starting to acculuate more items that are postential misconfigurations
rather than bugs, but could be automatically checked for.   This is happening at
the same time as we whould be expecting many more newbie admins.  Should we add
a "configcheck.cgi" that does some configuration audits?

Comment 8

16 years ago
It appears this was documented as part of bug 157756.
It's documented on the editgroups page itself as well, as of when all the groups
stuff got changed around.

I think this has been sufficiently taken care of.
Group: webtools-security
Last Resolved: 16 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.