Closed Bug 309952 (CVE-2010-1204) Opened 19 years ago Closed 14 years ago

[SECURITY] A boolean chart search with time tracking fields works for everybody

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.20
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: wicked, Assigned: mkanat)

References

Details

Attachments

(4 files, 5 obsolete files)

v1 (3.6)
526 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
v1 (3.4)
706 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
v1 (3.2)
670 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
v1 (HEAD)
500 bytes, patch
mkanat
: review+
Details | Diff | Splinter Review 
A user can execute a boolean chart search that has a time tracking field even
though the user isn't in the group defined by timetrackinggroup param. This way
one could search for all bugs that have worked time equal to 2 and get a list of
all bugs that have taken 2 hours to finish. Time tracking fields are not shown
on the drop-down for these users so URL hacking or a previously saved query
needs to be used to trigger this.
I'm not sure it's a security bug.
Well, it is not a very serious one... but it is something we should fix.
 I suggest just adding a check to Search.pm to throw an error when the time
fields are invoked.
Status: UNCONFIRMED → NEW
Ever confirmed: true
joel, do you think we could remove the security flag?
I'd leave it set until we have a patch deployed.  It is not a large leak, but it
is one that can be exploited for its little bit of information.


    
  

        Attachment #199652 -
        Flags: review?(wicked)

    
    

    
  
Comment on attachment 199652 [details] [diff] [review]
Eliminate criteria on time fields

>Index: Bugzilla/Search.pm
>===================================================================
>+             unless (Bugzilla->user->in_group(Param('timetrackinggroup'))){
>+                 $term = "1";
>+                 return;
>+             }

You should use $user variable for the current user because whine.pl and
collectstats.pl can pass a user that Bugzilla::Search should use for permission
checking. Now neither of those can use timetracking even if the user they use
have necessary permission.

Also, I don't like the way time tracking fields are silently ignored when a
user has no permission to use them. Now the search seems to succeed but it only
uses non-timetracking criterias. Would it be possible to throw an error
instead?

        Attachment #199652 -
        Flags: review?(wicked) → review-

    
    

    
  
2.16 branch is not affected because it doesn't have timetracking fields.
Assignee: create-and-change → bugreport
Target Milestone: --- → Bugzilla 2.18

    
    

    
  
(In reply to comment #6)
> Also, I don't like the way time tracking fields are silently ignored when a
> user has no permission to use them. Now the search seems to succeed but it only
> uses non-timetracking criterias. Would it be possible to throw an error
> instead?

What should be done, IMO, is to ignore those fields, but display a message at
the top of the buglist that this list has been obtained ignoring time-related
fields. This way, your saved searches which used time-related fields in the past
(for instance when you were in the time-tracking group) still return some
results instead of throwing an error.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2, 2.20 branch and tip (obsolete)
        — Splinter Review
      

    


  
This fixes the user object.

I did look at the other question.  While it would be possible to return a
warning to buglist for these particular changes, there are many cases where
search silently ignores fields it is not supposed to care about.  It would not
amke sense to warn for this one case only.

        Attachment #199652 -
        Attachment is obsolete: true

        Attachment #199897 -
        Flags: review?(wicked)

    
    

    
  
(In reply to comment #9)
> search silently ignores fields it is not supposed to care about.  It would not
> amke sense to warn for this one case only.

ok!
Status: NEW → ASSIGNED
Whiteboard: [doesn't affect 2.16]

    
    

    
  
Comment on attachment 199897 [details] [diff] [review]
Patch v2, 2.20 branch and tip

Looks good on 2.20 branch on tip. Now the timetracking fields are simply ignored in search if the user is not in time tracking group.

Branch 2.18 needs a backport.

        Attachment #199897 -
        Attachment description: Patch v2 → Patch v2, 2.20 branch and tip

        Attachment #199897 -
        Flags: review?(wicked) → review+

    
  
Flags: approval?
Flags: approval2.20?
Whiteboard: [doesn't affect 2.16] → [doesn't affect 2.16][patch needed for 2.18.5][ready for 2.20.1][ready for 2.21.2]

    
  
Blocks: 312700

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Backport to 2-18 (obsolete)
        — Splinter Review
      

    


  
I was only able to do rudimentary testing for this, but it should be the ticket.

        Attachment #203219 -
        Flags: review?(LpSolit)

    
    

    
  
Comment on attachment 203219 [details] [diff] [review]
Backport to 2-18

wicked reported the bug, and he reviewed the patches for the tip and 2.20... I let him review this one too. :)

        Attachment #203219 -
        Flags: review?(LpSolit) → review?(wicked)

    
    

    
  
Comment on attachment 203219 [details] [diff] [review]
Backport to 2-18

>Index: Bugzilla/Search.pm
>===================================================================
>+             if (Param("timetrackinggroup") 
>+                 && &::UserInGroup(Param("timetrackinggroup"))) {

You need to use the possibly passed $user parameter here too or new chart queries can't use time tracking fields. This would mean using the in_group User.pm function. I wouldn't mind if you change this also to return immediately when a user is not in the timetracking group. That way there's no need to change intendation. All this means this patch would be almost like the newer patch.

        Attachment #203219 -
        Flags: review?(wicked) → review-

    
    

    
  
joel, ping? Could you please update your patch for 2.18? We cannot freeze checkins and start the QA cycle till the backport is ok (which should be in a week or so).

    
  
Blocks: 320312

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch for 2-18 v2 (obsolete)
        — Splinter Review
      

    


  
Here's the backport.  I did only the most rudimentary testing on this.  Wicked:  Can you still test this?

        Attachment #203219 -
        Attachment is obsolete: true

        Attachment #206094 -
        Flags: review?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch for 2-18 v2 (obsolete)
        — Splinter Review
      

    


  
Here's the backport.  I did only the most rudimentary testing on this.  Wicked:  Can you still test this?

        Attachment #206096 -
        Flags: review?(wicked)

    
  

        Attachment #206094 -
        Attachment is obsolete: true

        Attachment #206094 -
        Flags: review?

    
  
Whiteboard: [doesn't affect 2.16][patch needed for 2.18.5][ready for 2.20.1][ready for 2.21.2] → [doesn't affect 2.16][patch for 2.18.5 awaiting review][ready for 2.20.1][ready for 2.21.2]

    
    

    
  
Comment on attachment 206096 [details] [diff] [review]
Patch for 2-18 v2

This only protects some specific boolean query types but still allows, for example, "estimated_time is greater than zero" query. This is because there's bunch of regexps with no specific field name.

Also, I'd still like to see an immediate return instead of intendation change in 2.18 patch too. Just like on the tip/2.20 patch.

        Attachment #206096 -
        Flags: review?(wicked) → review-

    
    

    
  
Comment on attachment 199897 [details] [diff] [review]
Patch v2, 2.20 branch and tip

Looks like same problem also affects tip patch. Sorry for wrong review earlier. :(

        Attachment #199897 -
        Flags: review+ → review-

    
    

    
  
looks like this patch won't be ready for the next set of releases. :(
Flags: approval?
Flags: approval2.20?
Whiteboard: [doesn't affect 2.16][patch for 2.18.5 awaiting review][ready for 2.20.1][ready for 2.21.2] → [doesn't affect 2.16]

    
  
No longer blocks: 320312

    
  
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20

    
  
Group: webtools-security → bugzilla-security

    
  
Group: bugzilla-security → webtools-security

    
  
Group: webtools-security → bugzilla-security

    
    

    
  
Bugzilla 2.20 is no longer supported. Retargetting to 2.22.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22

    
    

    
  
Any chance of somebody fixing this? It should be easier now with is_timetracker and the Search.pm refactoring.
Assignee: bugreport → create-and-change

    
  
No longer blocks: 312700

    
    

    
  
Bugzilla 2.x is no longer supported. Retargetting to 3.0.
Target Milestone: Bugzilla 2.22 → Bugzilla 3.0

    
  
Status: ASSIGNED → NEW

    
  
Assignee: create-and-change → wicked

    
    

    
  
Bugzilla 3.0 is EOL. We will retarget this bug when it's fixed.
Target Milestone: Bugzilla 3.0 → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (3.6)Splinter Review
      

    


  
This was remarkably easy to fix.
Assignee: wicked → mkanat

        Attachment #199897 -
        Attachment is obsolete: true

        Attachment #206096 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

        Attachment #439667 -
        Flags: review?(wicked)

        Attachment #439667 -
        Flags: review?(LpSolit)

    
  
Whiteboard: [doesn't affect 2.16]
Target Milestone: --- → Bugzilla 3.2

    
  

        Attachment #439667 -
        Flags: review?(wicked)

        Attachment #439667 -
        Flags: review?(LpSolit)

        Attachment #439667 -
        Flags: review+

    
    

    
  
Comment on attachment 439667 [details] [diff] [review]
v1 (3.6)

Works fine in 3.7. But the patch needs to be backported as 3.4 and 3.2 do not have TIMETRACKING_FIELDS defined.

    
  
Flags: approval?
Flags: approval3.6?
Summary: A boolean chart search with time tracking fields works for everybody → [SECURITY] A boolean chart search with time tracking fields works for everybody
Whiteboard: [backports for 3.4 and 3.2 needed]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (3.4)Splinter Review
      

    


  
This is a backport. I've tested it only on 3.4, but it should also work on 3.2.

        Attachment #444353 -
        Flags: review?(LpSolit)

    
    

    
  
Comment on attachment 444353 [details] [diff] [review]
v1 (3.4)

Works with 3.4 only. is_timetracker() doesn't exist in 3.2, so another backport is required.

        Attachment #444353 -
        Attachment description: v1 (3.4 and 3.2) → v1 (3.4)

        Attachment #444353 -
        Flags: review?(LpSolit) → review+

    
  
Flags: approval3.4?
Whiteboard: [backports for 3.4 and 3.2 needed] → [backports for 3.2 needed]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (3.2)Splinter Review
      

    


  
Okay, here's the 3.2 backport. I haven't tested it, because I don't have a live 3.2 installation handy, but it compiles and it's basically identical to the other patches, except that we check timetrackinggroup membership directly, which is also what we do in other parts of Search.pm in 3.2.

        Attachment #444873 -
        Flags: review?(LpSolit)

    
    

    
  
Comment on attachment 444873 [details] [diff] [review]
v1 (3.2)

r=LpSolit

        Attachment #444873 -
        Flags: review?(LpSolit) → review+

    
    

    
  
ready to land.
Flags: approval3.2?
Whiteboard: [backports for 3.2 needed]

    
    

    
  
Let's put it in our radar for 3.6.1.
Flags: blocking3.6.1+

    
    

    
  
This is CVE-2010-1204.
Alias: CVE-2010-1204

    
  
Blocks: 567670

    
    

    
  
Okay, I'm going to release today, so checkin will be soon.
Flags: approval?
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (HEAD)Splinter Review
      

    


  
This required some very minor un-bitrotting for HEAD. Carrying forward review for un-bitrotted patch.

        Attachment #453763 -
        Flags: review+

    
  

        Attachment #439667 -
        Attachment description: v1 (HEAD) → v1 (3.6)

    
    

    
  
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/                       
modified Bugzilla/Search.pm
Committed revision 7246.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/                         
modified Bugzilla/Search.pm
Committed revision 7112. 

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.4/                         
modified Bugzilla/Search.pm
Committed revision 6761.

Committing to: bzr+ssh://mkanat%40bugzilla.org@bzr.mozilla.org/bugzilla/3.2/   
modified Bugzilla/Search.pm
Committed revision 6383.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
Security advisory sent, unlocking bug.
Group: bugzilla-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: