Closed Bug 287436 Opened 20 years ago Closed 20 years ago

After having logged in, links to change the report type contain username and password

Categories

(Bugzilla :: User Accounts, defect, P1)

Product:
Bugzilla
Component:
User Accounts
Version:
2.17.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: roman, Assigned: Wurblzap)

References

Details

Attachments

(2 files)

Head patch
2.36 KB, patch
gerv
: review+
Details | Diff | Splinter Review
Branch patch
2.27 KB, patch
gerv
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0 This bug occurred on my bugzilla installation, using Firefox which needs to re-log in to almost every time I go to different page, but you can also use the following repro steps. Reproducible: Always Steps to Reproduce: 1. go to https://bugzilla.mozilla.org/query.cgi?format=report-table and choose some fields to gather data for report 2. if you are logged in, log out (e.g. on another tab) 3. click 'Generate Report' 4. login as requested 5. choose link for different report type (like 'Bar', 'Line', or 'CSV') Actual Results: Username and password is visible in links. Expected Results: Don't show username and password.
This was independently confirmed by Wurblzap on irc.
Group: webtools-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Flags: blocking2.20+
Flags: blocking2.18.1+
Attached patch Head patchSplinter Review
This patch removes Bugzilla_login and Bugzilla_password as soon as possible from the CGI params. The special case in chart.cgi is not needed anymore and goes away. userprefs.cgi is a special case because it needs access to these variables, so the params are saved in time.
Assignee: gerv → wurblzap
Status: NEW → ASSIGNED
Attachment #178463 - Flags: review?
Comment on attachment 178463 [details] [diff] [review] Head patch Looks good - very sensible fix. r=gerv. Gerv
Attachment #178463 - Flags: review? → review+
Flags: approval?
Flags: approval2.18?
holding approvals for release day
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Target Milestone: --- → Bugzilla 2.18
Attachment #178463 - Attachment description: Patch → Head patch
Attached patch Branch patchSplinter Review
Simple backport.
Attachment #178948 - Flags: review?(gerv)
Attachment #178948 - Flags: review?(gerv) → review+
*** Bug 289965 has been marked as a duplicate of this bug. ***
Component: Reporting/Charting → User Accounts
Priority: -- → P1
Blocks: 290249
Keywords: relnote
*** Bug 291824 has been marked as a duplicate of this bug. ***
ok, release is imminent, let's roll :)
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Tip: Checking in chart.cgi; /cvsroot/mozilla/webtools/bugzilla/chart.cgi,v <-- chart.cgi new revision: 1.11; previous revision: 1.10 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.75; previous revision: 1.74 done Checking in Bugzilla/Auth/Login/WWW/CGI.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/WWW/CGI.pm,v <-- CGI.pm new revision: 1.10; previous revision: 1.9 done 2.18: Checking in chart.cgi; /cvsroot/mozilla/webtools/bugzilla/chart.cgi,v <-- chart.cgi new revision: 1.7.2.2; previous revision: 1.7.2.1 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.58.2.5; previous revision: 1.58.2.4 done Checking in Bugzilla/Auth/CGI.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Attic/CGI.pm,v <-- CGI.pm new revision: 1.7.2.2; previous revision: 1.7.2.1 done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: relnote
Resolution: --- → FIXED
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Version: unspecified → 2.17.1
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: