Closed
Bug 308662
Opened 20 years ago
Closed 20 years ago
[SECURITY] User matching bypasses 'usevisibilitygroups' restrictions
Categories
(Bugzilla :: User Accounts, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.20
People
(Reporter: LpSolit, Assigned: bugreport)
References
Details
(Keywords: selenium, Whiteboard: [does not affect 2.18][ready for 2.20][ready for 2.21.1])
Attachments
(1 file)
|
913 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
When using substrings in User::match(), i.e. when user matching is in use with
the "search" mode activated, I am able to access user accounts I am not allowed
to see, despite 'usevisibilitygroups' is turned on. The "wildcards" mode seems
to work as expected, i.e. really restricts its search to user accounts I am
allowed to see.
|
Reporter | |
Updated•20 years ago
|
Flags: blocking2.20?
Target Milestone: --- → Bugzilla 2.20
|
||
Comment 1•20 years ago
|
||
I'd actually rather move this particular sec bug to 2.20.1, as we will have
other known issues with usevisibilitygroups in 2.20, and I don't want to put off
2.20 forever.
Flags: blocking2.20? → blocking2.20.1+
|
Assignee | |
Comment 2•20 years ago
|
||
Assignee: user-accounts → bugreport
Status: NEW → ASSIGNED
Attachment #196168 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 3•20 years ago
|
||
Comment on attachment 196168 [details] [diff] [review]
Fix the query
r=LpSolit for both the tip and 2.20.
Attachment #196168 -
Flags: review?(LpSolit) → review+
|
|
Reporter | |
Updated•20 years ago
|
Flags: approval?
Flags: approval2.20?
|
|
Reporter | |
Updated•20 years ago
|
Whiteboard: [does not affect 2.18][ready for 2.20][ready for 2.21.1]
|
|
||
Comment 4•20 years ago
|
||
This is a small enough change that it can block 2.20.
Flags: blocking2.20.1+ → blocking2.20+
|
||
Updated•20 years ago
|
Flags: approval?
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
|
|
Reporter | |
Comment 5•20 years ago
|
||
tip:
Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v <-- User.pm
new revision: 1.86; previous revision: 1.85
done
2.20:
Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v <-- User.pm
new revision: 1.61.2.10; previous revision: 1.61.2.9
done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•20 years ago
|
Summary: User matching bypasses 'usevisibilitygroups' restrictions → [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions
|
|
||
Comment 6•20 years ago
|
||
OK, security advisory sent, removing this bug from the security group.
Group: webtools-security
|
||
Comment 7•20 years ago
|
||
This was assigned to very new http://www.securityfocus.com/bid/14996 entitled as
"Bugzilla User-Matching Information Disclosure Vulnerability" now.
|
|
Reporter | |
Updated•14 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•