Closed Bug 234825 Opened 17 years ago Closed 17 years ago

duplicates.cgi reveals products user doesnt have access to

Categories

(Bugzilla :: Reporting/Charting, defect, P2)

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: gmillerd, Assigned: bugreport)

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(2 files)

User-Agent:       
Build Identifier: 

the line near 272 in duplicates v1.41:

$vars->{'products'} = \@::legal_product;

... should be something akin to ...

{
    my @tmp;
    foreach my $p (@::legal_product) {
        if (CanEnterProduct($p)) {
            push(@tmp, $p);
        }
    }
    $vars->{'products'} = \@tmp;
}

Reproducible: Always
Steps to Reproduce:
visit duplicates.cgi
Actual Results:  
all products in the system

Expected Results:  
only products i have access to
Securing until triaged.

Gerv
Group: webtools-security
Nominating for 2.18rc1 (shouldn't we be using flags?), because we seem to be
fixing other bugs like this at the moment.

Gerv
Whiteboard: [wanted for 2.18rc1]?
Confirming; I suspect Unconfirmed security bugs aren't on Dave's radar.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Gerv: since you're confirming this, I assume you've reproduced it?
This effects the 2.16 branch as well
Attachment #143896 - Flags: review?(justdave)
Attached patch Patch for 2.18Splinter Review
Attachment #143897 - Flags: review?(justdave)
Severity: normal → major
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Whiteboard: [wanted for 2.18rc1]? → [wanted for 2.16.6][wanted for 2.18rc1]
Target Milestone: --- → Bugzilla 2.18
Whiteboard: [wanted for 2.16.6][wanted for 2.18rc1] → [wanted for 2.16.6] [wanted for 2.18rc1]
Assignee: gerv → bugreport
Flags: blocking2.18+
Flags: blocking2.16.6+
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Attachment #143896 - Flags: review?(justdave) → review+
Comment on attachment 143897 [details] [diff] [review]
Patch for 2.18

>+my @selectable_products = GetSelectableProducts();
>+$vars->{'products'} = \@selectable_products;

This works, so I won't complain, but wouldn't it save an unnecessary variable
if you do it like this:

$vars->{'products'} = [ GetSelectableProducts() ];

?
Attachment #143897 - Flags: review?(justdave) → review+
holding approval for security advisory
Flags: approval?
Flags: approval2.16?
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Proposed wording for release notes:

Duplicates.cgi can divulge the names of products to which the user is not
supposed to have any access. 
 
Flags: approval2.16? → approval2.16+
Flags: approval? → approval+
checked in on both branches
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.