Closed Bug 180545 Opened 23 years ago Closed 23 years ago

You can change the product/component on a bug without editbugs privs

Categories

(Bugzilla :: Creating/Changing Bugs, defect, P1)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.17.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: justdave, Assigned: jacob)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file)

Patch - Fun hack
2.62 KB, patch
bbaetz
: review+
Details | Diff | Splinter Review
See bug 179176. Bryan Wellander changed the product from mozilla.org to NSPR. He doesn't have any privs (neither canconfirm nor editbugs). He's also not the reporter, qa, or assignee on that bug. I always thought that was one of the fields that was supposed to be protected if you weren't a primary relationship to that bug and you didn't have editbugs privs...
This sounds pretty serious to me; is this a security sensitive bug (if it's a bug at all?)
Down with @::log_columns! We only call this for each field in @::log_columns, and only product_id is there, not product..... Fix is to either hack this, or change the values in the form to be numbers, not strings. Or both.
Group: security
Group: security → webtools-security
Attached patch Patch - Fun hackSplinter Review
Looking at this anything short of removing @::log_columns is going to be a bit of a hack. So, this patch seems to be the least intrusive hack.
-> me
Assignee: myk → jake
Attachment #106588 - Flags: review?
Status: NEW → ASSIGNED
Severity: normal → critical
Keywords: regression
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
Comment on attachment 106588 [details] [diff] [review] Patch - Fun hack Joy. r=bbaetz, assuming you've tested + all
Attachment #106588 - Flags: review? → review+
a= justdave
Checking in process_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v <-- process_bug.cgi new revision: 1.167; previous revision: 1.166 done
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Clearing security bit on fixed bug. Affected pulls were from 2002/08/12 05:42:55 to 2002/11/18 04:27:34 US/Pacific, +/- about 15 minutes for cvs-mirror lag People who were not in the editbugs group could change the product or component of a bug. The change was still logged in the activity log and mails were still sent out (as would happen with a permitted user changing these fields).
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: