Closed
Bug 309544
Opened 19 years ago
Closed 19 years ago
Restrict bugs shown in dependency processing updates to viewers with permissions
Categories
(Bugzilla :: User Interface, enhancement)
Bugzilla
User Interface
Tracking
()
People
(Reporter: batosti, Assigned: gabriel.sales)
Details
Attachments
(1 file, 1 obsolete file)
4.31 KB,
patch
|
bugreport
:
review+
LpSolit
:
review-
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6)
Bugs (and people subscriberd to them) that are changed during a dependency
update should not be disclosed unless the user has the permissions to view these
bugs.
An example...
If I resolve a bug and another bug depends on it, I see a confirmation "Mail
Sent to: <list>" and "Excluding: <list>"
Reproducible: Always
Comment 1•19 years ago
|
||
What version of Bugzilla are you using?
I'm pretty sure this was fixed a long time ago.
If this isn't fixed, it's a security bug, setting flags appropriately until we
find out your version and track down the bug I'm thinking of.
Group: webtools-security
Reporter | ||
Comment 2•19 years ago
|
||
(In reply to comment #1)
> What version of Bugzilla are you using?
>
i'm using the last cvs version.
> I'm pretty sure this was fixed a long time ago.
>
> If this isn't fixed, it's a security bug, setting flags appropriately until we
> find out your version and track down the bug I'm thinking of.
when i post a change in a bug and i have no permissions to see the blocker or
blocked, i see the e-mails of owner, cc list and etc of these bugs.
Assignee | ||
Comment 3•19 years ago
|
||
Send mail but no printout message
When an user post a public bug and mark it as a blocker of a private one, all
people related to the private receives mail but no message is prompt to the
user because he is not able to see the private bug.
The same when a public bug is resolved having a private one as a
deppendent.
Comment 5•19 years ago
|
||
We discussed this a few years back (before visibilitygroups) and did not
consider it a security leak then. (Meanwhile, I had a site hack to close this up)
Now that we have other similar leaks closed, this does show information (the
list of users) from bugs to which the user making the change has no access.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 6•19 years ago
|
||
OK, When I marked this as security earlier, I misunderstood what was being
reported. This is indeed what we discussed a while back, and is generally not
considered to be a security issue (you can't find out anything about the bug
except who *can* see it, and that may actually be a good thing if you need to
know who to go to to find out about it).
I'm kinda thinking a better way to deal with this might just be to have a param
for whether or not to show the email addresses of the people who were notified
when a bug changed, and let sites turn it off altogether. I'm not aware of any
other tracking system which shares this little bit of information with the
users, and it's overkill for our results screen for anything beyond
troubleshooting (and for users being able to tell if someone has their bugmail
disabled).
Group: webtools-security
Severity: normal → enhancement
Target Milestone: --- → Bugzilla 2.22
Updated•19 years ago
|
Attachment #196969 -
Flags: review+
Updated•19 years ago
|
Flags: approval?
Summary: Restrict bugs in dependency updates to viewers with permissions → Restrict bugs shown in dependency processing updates to viewers with permissions
Updated•19 years ago
|
Assignee: myk → gabriel
Comment 7•19 years ago
|
||
Comment on attachment 196969 [details] [diff] [review]
v1-fix
I disagree with this patch, for several reasons:
1) if you have a long list of dependent bugs you cannot access with a long CC
list, there will be a long time between each output, and apache could timeout.
2) I have no way to know if emails are correctly sent or not (is sendmail slow?
is my connection slow?) while waiting for the footer to be displayed.
I think that if some bugs are not accessible, at least their bug number should
be displayed. And maybe a comment like:
"(list of emails not available)" instead of the list of emails.
Attachment #196969 -
Flags: review-
Comment 8•19 years ago
|
||
Oh... and this bug is a dupe anyway so the updated patch should go in bug 28398.
*** This bug has been marked as a duplicate of 28398 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: approval?
Resolution: --- → DUPLICATE
Target Milestone: Bugzilla 2.22 → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•