Closed Bug 309544 Opened 19 years ago Closed 19 years ago

Restrict bugs shown in dependency processing updates to viewers with permissions

Categories

(Bugzilla :: User Interface, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 28398

People

(Reporter: batosti, Assigned: gabriel.sales)

Details

Attachments

(1 file, 1 obsolete file)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6) Bugs (and people subscriberd to them) that are changed during a dependency update should not be disclosed unless the user has the permissions to view these bugs. An example... If I resolve a bug and another bug depends on it, I see a confirmation "Mail Sent to: <list>" and "Excluding: <list>" Reproducible: Always
What version of Bugzilla are you using? I'm pretty sure this was fixed a long time ago. If this isn't fixed, it's a security bug, setting flags appropriately until we find out your version and track down the bug I'm thinking of.
Group: webtools-security
(In reply to comment #1) > What version of Bugzilla are you using? > i'm using the last cvs version. > I'm pretty sure this was fixed a long time ago. > > If this isn't fixed, it's a security bug, setting flags appropriately until we > find out your version and track down the bug I'm thinking of. when i post a change in a bug and i have no permissions to see the blocker or blocked, i see the e-mails of owner, cc list and etc of these bugs.
Send mail but no printout message When an user post a public bug and mark it as a blocker of a private one, all people related to the private receives mail but no message is prompt to the user because he is not able to see the private bug. The same when a public bug is resolved having a private one as a deppendent.
Attached patch v1-fixSplinter Review
fix
Attachment #196967 - Attachment is obsolete: true
We discussed this a few years back (before visibilitygroups) and did not consider it a security leak then. (Meanwhile, I had a site hack to close this up) Now that we have other similar leaks closed, this does show information (the list of users) from bugs to which the user making the change has no access.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OK, When I marked this as security earlier, I misunderstood what was being reported. This is indeed what we discussed a while back, and is generally not considered to be a security issue (you can't find out anything about the bug except who *can* see it, and that may actually be a good thing if you need to know who to go to to find out about it). I'm kinda thinking a better way to deal with this might just be to have a param for whether or not to show the email addresses of the people who were notified when a bug changed, and let sites turn it off altogether. I'm not aware of any other tracking system which shares this little bit of information with the users, and it's overkill for our results screen for anything beyond troubleshooting (and for users being able to tell if someone has their bugmail disabled).
Group: webtools-security
Severity: normal → enhancement
Target Milestone: --- → Bugzilla 2.22
Attachment #196969 - Flags: review+
Flags: approval?
Summary: Restrict bugs in dependency updates to viewers with permissions → Restrict bugs shown in dependency processing updates to viewers with permissions
Assignee: myk → gabriel
Comment on attachment 196969 [details] [diff] [review] v1-fix I disagree with this patch, for several reasons: 1) if you have a long list of dependent bugs you cannot access with a long CC list, there will be a long time between each output, and apache could timeout. 2) I have no way to know if emails are correctly sent or not (is sendmail slow? is my connection slow?) while waiting for the footer to be displayed. I think that if some bugs are not accessible, at least their bug number should be displayed. And maybe a comment like: "(list of emails not available)" instead of the list of emails.
Attachment #196969 - Flags: review-
Oh... and this bug is a dupe anyway so the updated patch should go in bug 28398. *** This bug has been marked as a duplicate of 28398 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: approval?
Resolution: --- → DUPLICATE
Target Milestone: Bugzilla 2.22 → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: