309544 - Restrict bugs shown in dependency processing updates to viewers with permissions

Status: RESOLVED DUPLICATE of bug 28398

(Bugzilla :: User Interface, enhancement)

Description

[André Batosti]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6 (Ubuntu package 1.0.6)

Bugs (and people subscriberd to them) that are changed during a dependency
update should not be disclosed unless the user has the permissions to view these
bugs.

An example...
If I resolve a bug and another bug depends on it, I see a confirmation "Mail
Sent to: <list>" and "Excluding: <list>"


Reproducible: Always

Comment 1

[Dave Miller [:justdave]]

What version of Bugzilla are you using?

I'm pretty sure this was fixed a long time ago.

If this isn't fixed, it's a security bug, setting flags appropriately until we
find out your version and track down the bug I'm thinking of.

Comment 2

[André Batosti]

(In reply to comment #1)
> What version of Bugzilla are you using?
> 
i'm using the last cvs version.

> I'm pretty sure this was fixed a long time ago.
> 
> If this isn't fixed, it's a security bug, setting flags appropriately until we
> find out your version and track down the bug I'm thinking of.

when i post a change in a bug and i have no permissions to see the blocker or
blocked, i see the e-mails of owner, cc list and etc of these bugs.

Comment 3

[Gabriel Sales de Oliveira]

Attachment: v1-send mail but no print out message

Send mail but no printout message

When an user post a public bug and mark it as a blocker of a private one, all
people related to the private receives mail but no message is prompt to the
user because he is not able to see the private bug.

The same when a public bug is resolved having a private one as a
deppendent.

Comment 4

[Gabriel Sales de Oliveira]

Attachment: v1-fix

fix

Comment 5

[Joel Peshkin]

We discussed this a few years back (before visibilitygroups) and did not
consider it a security leak then.  (Meanwhile, I had a site hack to close this up)

Now that we have other similar leaks closed, this does show information (the
list of users) from bugs to which the user making the change has no access.

Comment 6

[Dave Miller [:justdave]]

OK, When I marked this as security earlier, I misunderstood what was being
reported.  This is indeed what we discussed a while back, and is generally not
considered to be a security issue (you can't find out anything about the bug
except who *can* see it, and that may actually be a good thing if you need to
know who to go to to find out about it).

I'm kinda thinking a better way to deal with this might just be to have a param
for whether or not to show the email addresses of the people who were notified
when a bug changed, and let sites turn it off altogether.  I'm not aware of any
other tracking system which shares this little bit of information with the
users, and it's overkill for our results screen for anything beyond
troubleshooting (and for users being able to tell if someone has their bugmail
disabled).

Comment 7

[Frédéric Buclin]

Comment on attachment 196969 [details] [diff] [review]
v1-fix

I disagree with this patch, for several reasons:

1) if you have a long list of dependent bugs you cannot access with a long CC
list, there will be a long time between each output, and apache could timeout.

2) I have no way to know if emails are correctly sent or not (is sendmail slow?
is my connection slow?) while waiting for the footer to be displayed.

I think that if some bugs are not accessible, at least their bug number should
be displayed. And maybe a comment like:
"(list of emails not available)" instead of the list of emails.

Comment 8

[Frédéric Buclin]

Oh... and this bug is a dupe anyway so the updated patch should go in bug 28398.

*** This bug has been marked as a duplicate of 28398 ***