Closed Bug 319087 Opened 19 years ago Closed 17 years ago

reports.cgi throws an error if you pass in an invalid "datasets" parameter

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.18.4
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.22

People

(Reporter: mkanat, Assigned: LpSolit)

References

Details

(Whiteboard: [blocker will fix])

From Tim Brown <timb@nth-dimension.org.uk>: Bugzilla 2.18.4, 2.20 The path to the Bugzilla installation is disclosed when a request is made to reports.cgi with an invalid datasets parameter which fails the regular expression m/^[A-Za-z0-9:]+$/.
not a security bug
Group: webtools-security
bah... fixing this bug in a clean way is not that easy. I detected two places where the path is displayed. - the first one is trivial to fix, at line 236: if ($datasets !~ m/^[A-Za-z0-9:]+$/) { die "Invalid datasets $datasets"; } We simply have to replace die() by ThrowUserError(). - the second one is bothering me, at line 345: $img->set (%settings); $img->$type($image_file, [ @data{('DATE', @labels)} ]); $img->$type() fails and throws an error (using croak(), i.e. with the path in it) if you pass an invalid datasets value. As the exact reason of the failure is internal to Chart::Lines (or more precisely to Chart::Base), we cannot hardcore the reason of the failure in code-error.html.tmpl. And using eval {} and $@ would require to remove the path from it, which cannot easily be done as: my $path = cwd(); my $error = $@; $error =~ s/\Q$path\E//g; because some installations, such as mines, use simlinks to point to the right directory, and so the regexp will fail to remove the path and the path would still be exposed. In this case, I see no other choice than hidding the exact reason, but this makes debugging much harder.
Depends on: 340253
(In reply to comment #3) > we cannot > hardcore the reason of the failure in code-error.html.tmpl. And using eval {} > and $@ would require to remove the path from it, which cannot easily be done > In this case, I see no other choice than hidding the exact > reason, but this makes debugging much harder. What we could do is to show a generic error to unprivileged users ('an internal error occured while generating the graph, please report this error to the admin') and display the exact error if the user is an admin.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.22
The 2.22 branch is restricted to security bugs and this bug is not critical enough -> 3.0.
Target Milestone: Bugzilla 2.22 → Bugzilla 3.0
I fixed the issue reported in comment 0 as part of bug 340253.
Assignee: gerv → LpSolit
Whiteboard: [blocker will fix]
Target Milestone: Bugzilla 3.0 → Bugzilla 2.22
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.