change a login n@domain to <n@domain> removes link in 'Select user'

RESOLVED FIXED in Bugzilla 2.16

Status

()

Bugzilla
User Accounts
RESOLVED FIXED
14 years ago
5 years ago

People

(Reporter: Andreas Kahnt, Assigned: Vlad Dascalu)

Tracking

unspecified
Bugzilla 2.16
Bug Flags:
approval +
blocking2.18 +
approval2.16 +
blocking2.16.6 +

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1], URL)

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030821
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030821

Bugzilla 2.17.7: I selected a login and renamed it from n@domain to <n@domain>.
After 'update' and http://ssv.coware.de/bugzilla/editusers.cgi with an empty
match string the user is listed in 'Select user' with its 'Real name' but there
is no link in 'Edit user...'. A second try results in: Updated user\nSorry, user
name '' is already in use.

Reproducible: Couldn't Reproduce
Steps to Reproduce:
1.rename login from n@domain to <n@domain>
2.update
3.Edit more users
4.Select all users
5.The one renamed is listed as first but without any link to edit



Expected Results:  
Allow to edit the user data.
What version of Bugzilla are you using?

Have you changed your emailregexp to allow < and > characters?  In theory it
shouldn't allow those in email addresses.

If it's allowing them, that's an XSS hole waiting to happen.

Due to the XSS implications, securing bug until we figure out what's going on.
Group: webtools-security
OS: Linux → All
Hardware: PC → All
We don't validate new email addresses entered from the management side. This may
be by design - admins want to set it to something invalid. But we also don't
escape them when printing them in editusers.cgi.

editusers.cgi:359.

Gerv
(Reporter)

Comment 3

14 years ago
> What version of Bugzilla are you using?
2.17.7

> Have you changed your emailregexp to allow < and > characters?  In theory it
> shouldn't allow those in email addresses.
No, I did standard installation.Change was done from admin.

I assume that my strange name change resulted in a zero-length user name. 
The installation was new, the user hidden had no related data in database. For
me I solved the problem by temporarily allowing to delete the user -- anyway it
should be possible to have a link to edit preferences.

I ran into that due to following error message of the 'sanity check': 'Bad
profile email address, id=1, <aka@aka.coware.de>.'
guess we need to sanitycheck the admin entry, too, that's probably the best
short-term fix for this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking2.18+
Flags: blocking2.16.6+
Target Milestone: --- → Bugzilla 2.16
Blocks: 206037
(Assignee)

Comment 5

14 years ago
Created attachment 152369 [details] [diff] [review]
Patch v1

<justdave> [...] should be a quick fix...  need to html_quote email addresses
in editusers.cgi and ensure emails entered on the edit/create user form match
the emailregexp

The "create user screen" already validates the entry data againest the regexp,
but the rest of the points remain valid.
Assignee: myk → vladd
Status: NEW → ASSIGNED
(Assignee)

Updated

14 years ago
Attachment #152369 - Flags: review?

Comment 6

14 years ago
Comment on attachment 152369 [details] [diff] [review]
Patch v1

r=joel
when we get arund to templatizing this, we should make better error messages as
well.
Attachment #152369 - Flags: review? → review+
Comment on attachment 152369 [details] [diff] [review]
Patch v1

r=justdave for trunk.

This does not apply cleanly to 2.16, we'll need a separate patch for 2.16.
Whiteboard: [wanted for 2.16.6] [ready for 2.18rc1]
(Assignee)

Comment 8

14 years ago
Created attachment 152423 [details] [diff] [review]
Patch for 2-16 BRANCH
(Assignee)

Updated

14 years ago
Attachment #152423 - Flags: review?
(Assignee)

Updated

14 years ago
Flags: approval?
Flags: approval2.16?
(Assignee)

Updated

14 years ago
Attachment #152423 - Flags: review?(bugreport)

Comment 9

14 years ago
Comment on attachment 152423 [details] [diff] [review]
Patch for 2-16 BRANCH

r=joel if you've tested it
Attachment #152423 - Flags: review?(bugreport) → review+
(Assignee)

Updated

14 years ago
Attachment #152423 - Flags: review?

Updated

14 years ago
Whiteboard: [wanted for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Flags: approval2.16? → approval2.16+
Flags: approval? → approval+

Comment 10

14 years ago
checked in on both branches
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Updated

14 years ago
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.