Closed Bug 290229 Opened 19 years ago Closed 19 years ago

attachment.cgi action=enter does not do groupset check on flag requestee

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.19.1
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: dbaron, Assigned: wicked)

References

(
URL
)

Details

attachment.cgi does a check that attachment flag requestees can access
group-confidential bugs when the attachment flag request is being set while
editing an attachment (action=edit), but it does not do the same check when the
attachment flag request is being set while creating a new attachment
(action=enter).  It probably should do the check for action=enter as well, and
it should certainly be consistent.

This created the bizarre situation in bug 290038 (atachment 180621) that dveditz
was able to make a request to mconnor while mconnor was not capable of viewing
the bug (and thus probably not capable of responding to the request).  It also
meant that when I went to deal with the superreview request at the same time,
*I* got the error message from
https://bugzilla.mozilla.org/attachment.cgi?id=180621&action=edit even though I
wasn't changing the problematic request at all -- I was plussing the separate
superreview request.  (I had to open the bug in a new tab, cc: mconnor, and
resubmit my superreview+ change and comments.)


Steps to reproduce (I expect, didn't actually test this)
 1. create a group-confidential bug
 2. create an attachment to the bug and in the attachment creation form, request
review on the attachment from somebody who can't access the bug

Expected results: error saying that the requestee can't access the bug (just
like for making the same request for action=edit)

Actual results: No error, but anybody who edits the attachment without changing
the problematic request does get the error.
I cannot reproduce this bug using the latest CVS version. And I cannot have a
look at the bug activity table in 290038 due to restrictions. :(

It's strange, looking at attachment.cgi and FlagType.pm, the check is there,
both in 2.19.1 and on the trunk. Maybe is there some local customization on
b.m.o? justdave, which version of these two files are we using on b.m.o? myk, do
you remember having fixed such a bug about requestee?

dbaron, are you sure mconnor has been requested to review the patch *before* the
bug got the security flag?
(In reply to comment #1)
> dbaron, are you sure mconnor has been requested to review the patch *before* the
> bug got the security flag?

err... I meant *after*.

The bug was filed with the security flag, so yes.
File: FlagType.pm       Status: Up-to-date
   Working revision:    1.10
File: attachment.cgi    Status: Up-to-date
   Working revision:    1.63

There were four flags set at once on that bug, is it by any chance passing the
check if any one of the addresses passes?

dveditz@cruzio.com changed:

 Attachment #180621 [details] [diff] |                           |review?(mconnor@steelgryphom.
               Flag |                           |com),
                    |                           |superreview?(dbaron@mozillafo
                    |                           |undation.org), approval1.7.7?,
                    |                           |approval-aviary1.0.3?

I (indirectly) discussed that problem with myk a few days ago (April 5). But I
did not make the relation with the requestee validation problem; sorry for that:

(22:05:25) LpSolit: myk, do you agree with me when I say that $bugid is
undefined in attachment.cgi, line 131?
(22:06:12) LpSolit: myk, validateID is the function which defines $bugid, but
this function is not called with $action==insert
(22:07:08) LpSolit: myk, this makes Flag::validate() and FlagType::validate()...
invalid
(22:11:50) myk: LpSolit: looks like you are right
(22:12:28) myk: LpSolit: does wicked's patch in bug 238870 fix the problem?


After several tests I did locally, I can now answer myk's question: YES! :)

I checked this patch in one week ago. Marking fixed!
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 19 years ago
Depends on: 238870
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 2.20
Version: unspecified → 2.19.1
Assignee: attach-and-request → wicked+bz
You need to log in before you can comment on or make changes to this bug.