Closed Bug 179491 Opened 22 years ago Closed 22 years ago

Search involving attachments do not enforce attchment privacy

Categories

(Bugzilla :: Query/Bug List, defect, P2)

Product:
Bugzilla
Component:
Query/Bug List
Version:
2.17.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: bugreport, Assigned: bugreport)

References

Details

Attachments

(1 file, 1 obsolete file)

patch v2
778 bytes, patch
bbaetz
: review+
Details | Diff | Splinter Review 
Good catch by bbaetz on this one...

It is possible for a user without access to private attachments to qualify a bug
query on the contents of an attachment to which that user is supposed to have no
access. (The user still cannot access the attachment itself)

The fix for this is small and low-risk.
Attached patch patch (obsolete) — Splinter Review 

    
  
Status: NEW → ASSIGNED
Priority: -- → P2
Summary: Searchs of attchamnets containing a string do not enforce attchment privacy → Searchs of attchaments containing a string do not enforce attchment privacy
Target Milestone: --- → Bugzilla 2.18

    
  

        Attachment #105832 -
        Flags: review?(myk)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2Splinter Review
      

    


  
changed < 1 to = 0

        Attachment #105832 -
        Attachment is obsolete: true

        Attachment #105916 -
        Flags: review+

    
  

        Attachment #105832 -
        Flags: review?(myk)

    
    

    
  

Checking in Bugzilla/Search.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Search.pm,v  <--  Search.pm
new revision: 1.34; previous revision: 1.33
done


Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Summary: Searchs of attchaments containing a string do not enforce attchment privacy → Searchs of attachments containing a string do not enforce attchment privacy

    
    

    
  
Clearing security bit on fixed bug. This bug affected people who obtained a
development release between:

2002/08/19 21:17:20 to 2002/11/12 01:58:02 US/Pacific

(+/- about 15 minutes for the cvs mirror)

It was possible for a user to search on attachment titles/status, and get
results even if they couldn't see the attachment. Only existance or absense of
an attribute could be tested; the exact contents and desription of the summary
remained hidden. This only affected instalations who used the 'insidergroup'
feature.
Group: webtools-security
Summary: Searchs of attachments containing a string do not enforce attchment privacy → Search involving attachments do not enforce attchment privacy
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: