Closed Bug 250605 Opened 16 years ago Closed 16 years ago

Metadata changes on private attachments shown in bugmail to people not in the insidergroup

Categories

(Bugzilla :: Email Notifications, defect, P2)

2.17.7
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.18

People

(Reporter: bugreport, Assigned: bugreport)

Details

(Whiteboard: [does not affect 2.16.x] [fixed in 2.18rc3] [fixed in 2.19.1])

Attachments

(1 file)

If an attachment is private, requests and changes to the description, mime-type,
etc.. should also be private.

Best bet is to LEFT JOIN in the attachments when going through the bug, pull the
private flag, and or that into $anyprivate
This should be nicely contained within BugMail.pm

If a diff involves an attachment and the attachment is private, then make sure
$anyprivate gets set.

Priority: -- → P2
Target Milestone: --- → Bugzilla 2.20
Attachment #154606 - Flags: review?
This really should wind up on 2.18
Status: NEW → ASSIGNED
Flags: blocking2.18?
Target Milestone: Bugzilla 2.20 → Bugzilla 2.18
Flags: blocking2.18? → blocking2.18+
This sounds like a case of information leakage?
Group: webtools-security
Attachment #154606 - Flags: review?(zach)
Comment on attachment 154606 [details] [diff] [review]
No difftext on bugmail regarding private attachments

Looks okay. You could:

- Use user->in_group() instead of keying the user->groups hash
- Perhaps use "insideronly" or something to avoid overloading isprivate to
indicate that it's only visible to isprivate, though IIRC that could be a
common convention in our code.

Simple enough to not require 2r=?
Attachment #154606 - Flags: review? → review+
Whiteboard: patch awaiting second review or checkin
Attachment #154606 - Flags: review?(zach)
holding approval for release day
Flags: approval?
Flags: approval2.18?
Whiteboard: patch awaiting second review or checkin → [does not affect 2.16.x] [ready for 2.18rc3] [ready for 2.19.1]
clarifying summary so we can tell this apart from bug 253544 on a buglist.
Summary: Metadata changes on private attachments should be private as well → Metadata changes on private attachments shown in bugmail to people not in the insidergroup
checked in on trunk:

Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v  <--  BugMail.pm
new revision: 1.16; previous revision: 1.15
done

and on 2.18 branch:

Checking in Bugzilla/BugMail.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/BugMail.pm,v  <--  BugMail.pm
new revision: 1.13.2.1; previous revision: 1.13
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Resolution: --- → FIXED
Whiteboard: [does not affect 2.16.x] [ready for 2.18rc3] [ready for 2.19.1] → [does not affect 2.16.x] [fixed in 2.18rc3] [fixed in 2.19.1]
advisory has posted, clearing security flag
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.