duplicates.cgi reveals products user doesnt have access to

RESOLVED FIXED in Bugzilla 2.16

Status

()

defect
P2
major
RESOLVED FIXED
16 years ago
7 years ago

People

(Reporter: gmillerd, Assigned: bugreport)

Tracking

unspecified
Bugzilla 2.16
Bug Flags:
approval +
blocking2.18 +
approval2.16 +
blocking2.16.6 +

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(2 attachments)

Reporter

Description

16 years ago
User-Agent:       
Build Identifier: 

the line near 272 in duplicates v1.41:

$vars->{'products'} = \@::legal_product;

... should be something akin to ...

{
    my @tmp;
    foreach my $p (@::legal_product) {
        if (CanEnterProduct($p)) {
            push(@tmp, $p);
        }
    }
    $vars->{'products'} = \@tmp;
}

Reproducible: Always
Steps to Reproduce:
visit duplicates.cgi
Actual Results:  
all products in the system

Expected Results:  
only products i have access to
Securing until triaged.

Gerv
Group: webtools-security
Nominating for 2.18rc1 (shouldn't we be using flags?), because we seem to be
fixing other bugs like this at the moment.

Gerv
Whiteboard: [wanted for 2.18rc1]?
Confirming; I suspect Unconfirmed security bugs aren't on Dave's radar.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Gerv: since you're confirming this, I assume you've reproduced it?
Assignee

Comment 5

16 years ago
This effects the 2.16 branch as well
Assignee

Comment 6

16 years ago
Assignee

Updated

16 years ago
Attachment #143896 - Flags: review?(justdave)
Assignee

Comment 7

16 years ago
Assignee

Updated

16 years ago
Attachment #143897 - Flags: review?(justdave)
Assignee

Updated

16 years ago
Severity: normal → major
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Whiteboard: [wanted for 2.18rc1]? → [wanted for 2.16.6][wanted for 2.18rc1]
Target Milestone: --- → Bugzilla 2.18
Whiteboard: [wanted for 2.16.6][wanted for 2.18rc1] → [wanted for 2.16.6] [wanted for 2.18rc1]
Assignee: gerv → bugreport
Flags: blocking2.18+
Flags: blocking2.16.6+
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Attachment #143896 - Flags: review?(justdave) → review+
Comment on attachment 143897 [details] [diff] [review]
Patch for 2.18

>+my @selectable_products = GetSelectableProducts();
>+$vars->{'products'} = \@selectable_products;

This works, so I won't complain, but wouldn't it save an unnecessary variable
if you do it like this:

$vars->{'products'} = [ GetSelectableProducts() ];

?
Attachment #143897 - Flags: review?(justdave) → review+
holding approval for security advisory
Flags: approval?
Flags: approval2.16?
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Assignee

Comment 10

15 years ago
Proposed wording for release notes:

Duplicates.cgi can divulge the names of products to which the user is not
supposed to have any access. 
 
Flags: approval2.16? → approval2.16+
Flags: approval? → approval+
Assignee

Comment 11

15 years ago
checked in on both branches
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee

Updated

15 years ago
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.