Closed Bug 287436 Opened 19 years ago Closed 19 years ago

After having logged in, links to change the report type contain username and password

Categories

(Bugzilla :: User Accounts, defect, P1)

Product:
Bugzilla
Component:
User Accounts
Version:
2.17.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: roman, Assigned: Wurblzap)

References

Details

Attachments

(2 files)

Head patch
2.36 KB, patch
gerv
: review+
Details | Diff | Splinter Review
Branch patch
2.27 KB, patch
gerv
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; pl-PL; rv:1.7.5) Gecko/20041108 Firefox/1.0

This bug occurred on my bugzilla installation, using Firefox which needs to
re-log in to almost every time I go to different page, but you can also use the
following repro steps.

Reproducible: Always

Steps to Reproduce:
1. go to https://bugzilla.mozilla.org/query.cgi?format=report-table and choose
some fields to gather data for report
2. if you are logged in, log out (e.g. on another tab)
3. click 'Generate Report'
4. login as requested
5. choose link for different report type (like 'Bar', 'Line', or 'CSV')

Actual Results:  
Username and password is visible in links.

Expected Results:  
Don't show username and password.
This was independently confirmed by Wurblzap on irc.
Group: webtools-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Flags: blocking2.20+
Flags: blocking2.18.1+
Attached patch Head patchSplinter Review 
This patch removes Bugzilla_login and Bugzilla_password as soon as possible
from the CGI params.

The special case in chart.cgi is not needed anymore and goes away.

userprefs.cgi is a special case because it needs access to these variables, so
the params are saved in time.
Assignee: gerv → wurblzap
Status: NEW → ASSIGNED
Attachment #178463 - Flags: review?
Comment on attachment 178463 [details] [diff] [review]
Head patch

Looks good - very sensible fix. r=gerv.

Gerv
Attachment #178463 - Flags: review? → review+
Flags: approval?
Flags: approval2.18?
holding approvals for release day
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Target Milestone: --- → Bugzilla 2.18
Attachment #178463 - Attachment description: Patch → Head patch
Attached patch Branch patchSplinter Review 
Simple backport.
Attachment #178948 - Flags: review?(gerv)
Attachment #178948 - Flags: review?(gerv) → review+
*** Bug 289965 has been marked as a duplicate of this bug. ***
Component: Reporting/Charting → User Accounts
Priority: -- → P1
Blocks: 290249
Keywords: relnote
*** Bug 291824 has been marked as a duplicate of this bug. ***
ok, release is imminent, let's roll :)
Flags: approval?
Flags: approval2.18?
Flags: approval2.18+
Flags: approval+
Tip:

Checking in chart.cgi;
/cvsroot/mozilla/webtools/bugzilla/chart.cgi,v  <--  chart.cgi
new revision: 1.11; previous revision: 1.10
done
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.75; previous revision: 1.74
done
Checking in Bugzilla/Auth/Login/WWW/CGI.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/WWW/CGI.pm,v  <--  CGI.pm
new revision: 1.10; previous revision: 1.9
done

2.18:

Checking in chart.cgi;
/cvsroot/mozilla/webtools/bugzilla/chart.cgi,v  <--  chart.cgi
new revision: 1.7.2.2; previous revision: 1.7.2.1
done
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.58.2.5; previous revision: 1.58.2.4
done
Checking in Bugzilla/Auth/CGI.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Auth/Attic/CGI.pm,v  <--  CGI.pm
new revision: 1.7.2.2; previous revision: 1.7.2.1
done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: relnote
Resolution: --- → FIXED
Whiteboard: [ready for 2.18.1] [ready for 2.19.3]
Version: unspecified → 2.17.1
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.