Closed Bug 1632650 Opened 5 years ago Closed 3 years ago

Hidden dependency and regression changes are still shown in email notifications

Categories

(bugzilla.mozilla.org :: Email Notifications, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1628759

People

(Reporter: jld, Assigned: dkl)

References

Details

(Keywords: sec-want, wsec-disclosure)

Changes that add dependencies and regressions that would be hidden by bug 1591549 appear to still send email giving the bug number (but without the summary in the “referenced bugs” section). If this is the behavior — I have an example of it, but I can't see the security bug so I can't confirm that it was hidden at the time of the email — this probably is not what the user was expecting.

The security team would strongly want this information not to leak in mail. It's too easy to be a component watcher to slurp up all these mailed changes and then focus on the bugs where relations are set that you can't access.

I will update the email code, which pulls the entries out of the bugs_activity table and not the usual places, to just omit the id completely instead of stripping the summaries.

Assignee: nobody → dkl
Status: NEW → ASSIGNED

Filtering of private bugs from the references list in the email has been working for a long time.
https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/BugMail.pm#L309-L313

But the added/removed table in the emails which shows the dependency and see also ids does however still show the bug ids so that does need to be fixed. I am fixing both see also and dependency leakage in that table in bug 1628759 since the same code has to be touched anyway.
https://github.com/mozilla-bteam/bmo/pull/1782

Depends on: 1628759
Blocks: 1746409

As mentioned in comment 4 this has been addressed as part of bug 1628759 which has now been merged. The code will go live at the beginning of the year. Closing this one as well.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1628759
No longer blocks: 1746409
No longer regressed by: 1591549
You need to log in before you can comment on or make changes to this bug.