Hidden dependency and regression changes are still shown in email notifications
Categories
(bugzilla.mozilla.org :: Email Notifications, defect)
Tracking
()
People
(Reporter: jld, Assigned: dkl)
References
Details
(Keywords: sec-want, wsec-disclosure)
Changes that add dependencies and regressions that would be hidden by bug 1591549 appear to still send email giving the bug number (but without the summary in the “referenced bugs” section). If this is the behavior — I have an example of it, but I can't see the security bug so I can't confirm that it was hidden at the time of the email — this probably is not what the user was expecting.
Comment 1•3 years ago
|
||
The security team would strongly want this information not to leak in mail. It's too easy to be a component watcher to slurp up all these mailed changes and then focus on the bugs where relations are set that you can't access.
Assignee | ||
Comment 2•3 years ago
|
||
I will update the email code, which pulls the entries out of the bugs_activity table and not the usual places, to just omit the id completely instead of stripping the summaries.
Assignee | ||
Comment 4•3 years ago
|
||
Filtering of private bugs from the references list in the email has been working for a long time.
https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/BugMail.pm#L309-L313
But the added/removed table in the emails which shows the dependency and see also ids does however still show the bug ids so that does need to be fixed. I am fixing both see also and dependency leakage in that table in bug 1628759 since the same code has to be touched anyway.
https://github.com/mozilla-bteam/bmo/pull/1782
Assignee | ||
Comment 5•3 years ago
|
||
As mentioned in comment 4 this has been addressed as part of bug 1628759 which has now been merged. The code will go live at the beginning of the year. Closing this one as well.
Updated•3 years ago
|
Description
•