Closed Bug 163135 Opened 22 years ago Closed 21 years ago

reports.cgi with usebuggroups on

Categories

(Bugzilla :: Reporting/Charting, defect, P4)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.16
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: rbro, Assigned: gerv)

References

Details

I have usebuggroups and usebuggroupsentry both turned on, so that products are 
isolated to specific groups of people, and people can't see bugs that they 
aren't permitted to.

If I go to my bugzilla homepage as a non-logged in user, and click on the 
reports link and view a standard report, I can see a listing of e-mail 
addresses and bug numbers for products that I shouldn't have access to.  If I 
click any bug number, I get the message that I'm not authorized to view the 
bug, but should a non-logged in user (or a user who doesn't have permissions 
for a product) be able to see a listing of the 'engineers' and bug numbers 
relating to that product who otherwise he should know nothing about, nor have 
access to view?
While not ideal, I don't think this is a serious information leak. Those reports
are going away eventually (yes, I know I always say that, but I actually have an
implementation of their replacement) and the code is horrible, so I don't like
working with it. ;-)

Gerv
I haven't yet taken a look at the code in reports.cgi, but one thing I noticed 
is this:

If I log in as a user with access to just one product (out of the many that 
exist), on the initial reports.cgi page, the Product dropdown lists an 'All' 
option and the one product that I have access to.  If I choose that one product 
and click Continue, I get stats just for that one product, but if I 
choose 'All', I get stats for all products (including ones not listed in that 
dropdown).

Since the code to retrieve stats for just one product already exists, to fix 
the problem for the 'All' case, wouldn't the fix be to do the SQL query to get 
the list of products that the user has access to, and add them all into the 
various SQL statements for the stats, just as the one product is added in now 
to the SQL for the singular product case?

I'm not saying it's unfixable - just that I don't plan to fix it, because I have
a large pile of other bugs to get through first :-) 

Gerv
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
This is all going away over in bug 16009.

Gerv
Depends on: 16009
Priority: P2 → P4
OS: Windows 2000 → All
Hardware: PC → All
This bug is now invalid, because the reports in question are no longer part of
Bugzilla.

Gerv
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
bulk removing target on WONTFIX/INVALID/WORKSFORME/DUPLICATE so they'll show up
as untriaged if they get reopened.
Target Milestone: Bugzilla 2.18 → ---
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.