Closed
Bug 287436
Opened 19 years ago
Closed 19 years ago
After having logged in, links to change the report type contain username and password
Categories
(Bugzilla :: User Accounts, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: roman, Assigned: Wurblzap)
References
Details
Attachments
(2 files)
2.36 KB,
patch
|
gerv
:
review+
|
Details | Diff | Splinter Review |
2.27 KB,
patch
|
gerv
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0 This bug occurred on my bugzilla installation, using Firefox which needs to re-log in to almost every time I go to different page, but you can also use the following repro steps. Reproducible: Always Steps to Reproduce: 1. go to https://bugzilla.mozilla.org/query.cgi?format=report-table and choose some fields to gather data for report 2. if you are logged in, log out (e.g. on another tab) 3. click 'Generate Report' 4. login as requested 5. choose link for different report type (like 'Bar', 'Line', or 'CSV') Actual Results: Username and password is visible in links. Expected Results: Don't show username and password.
Comment 1•19 years ago
|
||
This was independently confirmed by Wurblzap on irc.
Group: webtools-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Updated•19 years ago
|
Flags: blocking2.20+
Flags: blocking2.18.1+
Assignee | ||
Comment 2•19 years ago
|
||
This patch removes Bugzilla_login and Bugzilla_password as soon as possible from the CGI params. The special case in chart.cgi is not needed anymore and goes away. userprefs.cgi is a special case because it needs access to these variables, so the params are saved in time.
Comment 3•19 years ago
|
||
Comment on attachment 178463 [details] [diff] [review] Head patch Looks good - very sensible fix. r=gerv. Gerv
Attachment #178463 -
Flags: review? → review+
Updated•19 years ago
|
Flags: approval?
Flags: approval2.18?
Comment 4•19 years ago
|
||
holding approvals for release day
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Target Milestone: --- → Bugzilla 2.18
Assignee | ||
Updated•19 years ago
|
Attachment #178463 -
Attachment description: Patch → Head patch
Updated•19 years ago
|
Attachment #178948 -
Flags: review?(gerv) → review+
Comment 6•19 years ago
|
||
*** Bug 289965 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Component: Reporting/Charting → User Accounts
Priority: -- → P1
Comment 7•19 years ago
|
||
*** Bug 291824 has been marked as a duplicate of this bug. ***
Comment 8•19 years ago
|
||
ok, release is imminent, let's roll :)
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Comment 9•19 years ago
|
||
Tip: Checking in chart.cgi; /cvsroot/mozilla/webtools/bugzilla/chart.cgi,v <-- chart.cgi new revision: 1.11; previous revision: 1.10 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.75; previous revision: 1.74 done Checking in Bugzilla/Auth/Login/WWW/CGI.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/WWW/CGI.pm,v <-- CGI.pm new revision: 1.10; previous revision: 1.9 done 2.18: Checking in chart.cgi; /cvsroot/mozilla/webtools/bugzilla/chart.cgi,v <-- chart.cgi new revision: 1.7.2.2; previous revision: 1.7.2.1 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.58.2.5; previous revision: 1.58.2.4 done Checking in Bugzilla/Auth/CGI.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Attic/CGI.pm,v <-- CGI.pm new revision: 1.7.2.2; previous revision: 1.7.2.1 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: relnote
Resolution: --- → FIXED
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Version: unspecified → 2.17.1
Updated•19 years ago
|
Group: webtools-security
You need to log in
before you can comment on or make changes to this bug.
Description
•