Closed Bug 234825 Opened 20 years ago Closed 20 years ago

duplicates.cgi reveals products user doesnt have access to

Categories

(Bugzilla :: Reporting/Charting, defect, P2)

Product:
Bugzilla
Component:
Reporting/Charting
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: gmillerd, Assigned: bugreport)

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(2 files)

Patch for 2.16 branch
773 bytes, patch
justdave
: review+
Details | Diff | Splinter Review
Patch for 2.18
602 bytes, patch
justdave
: review+
Details | Diff | Splinter Review 
User-Agent:       
Build Identifier: 

the line near 272 in duplicates v1.41:

$vars->{'products'} = \@::legal_product;

... should be something akin to ...

{
    my @tmp;
    foreach my $p (@::legal_product) {
        if (CanEnterProduct($p)) {
            push(@tmp, $p);
        }
    }
    $vars->{'products'} = \@tmp;
}

Reproducible: Always
Steps to Reproduce:
visit duplicates.cgi
Actual Results:  
all products in the system

Expected Results:  
only products i have access to
Securing until triaged.

Gerv
Group: webtools-security
Nominating for 2.18rc1 (shouldn't we be using flags?), because we seem to be
fixing other bugs like this at the moment.

Gerv
Whiteboard: [wanted for 2.18rc1]?
Confirming; I suspect Unconfirmed security bugs aren't on Dave's radar.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Gerv: since you're confirming this, I assume you've reproduced it?
This effects the 2.16 branch as well


    
  

        Attachment #143896 -
        Flags: review?(justdave)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch for 2.18Splinter Review
      

    


  

    
  

        Attachment #143897 -
        Flags: review?(justdave)

    
  
Severity: normal → major
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Whiteboard: [wanted for 2.18rc1]? → [wanted for 2.16.6][wanted for 2.18rc1]
Target Milestone: --- → Bugzilla 2.18
Whiteboard: [wanted for 2.16.6][wanted for 2.18rc1] → [wanted for 2.16.6] [wanted for 2.18rc1]
Assignee: gerv → bugreport
Flags: blocking2.18+
Flags: blocking2.16.6+
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16

        Attachment #143896 -
        Flags: review?(justdave) → review+

    
    

    
  
Comment on attachment 143897 [details] [diff] [review]
Patch for 2.18

>+my @selectable_products = GetSelectableProducts();
>+$vars->{'products'} = \@selectable_products;

This works, so I won't complain, but wouldn't it save an unnecessary variable
if you do it like this:

$vars->{'products'} = [ GetSelectableProducts() ];

?

        Attachment #143897 -
        Flags: review?(justdave) → review+

    
    

    
  
holding approval for security advisory
Flags: approval?
Flags: approval2.16?
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]

    
    

    
  
Proposed wording for release notes:

Duplicates.cgi can divulge the names of products to which the user is not
supposed to have any access. 
 
Flags: approval2.16? → approval2.16+
Flags: approval? → approval+

    
    

    
  
checked in on both branches

Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
  
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]

    
    

    
  
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.