Closed Bug 319090 Opened 20 years ago Closed 20 years ago

editusers.cgi throws an error when an invalid userid parameter is given

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.20
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: mkanat, Assigned: LpSolit)

References

Details

(Whiteboard: [doesn't affect 2.18][blocker will fix])

Tim Brown <timb@nth-dimension.org.uk>: Bugzilla 2.20 The path to the Bugzilla installation is disclosed when a request is made to editusers.cgi with an invalid userid parameter. We may have already fixed this, with that other bug about editusers.cgi editing user 0 -- wurblzap?
Yup, fixed by bug 314039.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Not an issue on MySQL, thanks to to bug 314039, but this is still a issue on PostgreSQL, see bug 319082: DBD::Pg::db selectrow_array failed: ERROR: invalid input syntax for integer: "324cbcvb" [(truncated SQL query here)] Bugzilla::User::_create('Bugzilla::User', 'userid=?', '324cbcvb') called at Bugzilla/User.pm line 75 Bugzilla::User::new('Bugzilla::User', '324cbcvb') called at /var/www/html/qa222pg/editusers.cgi line 723 main::check_user('324cbcvb', 'undef') called at /var/www/html/qa222pg/editusers.cgi line 216 This problem will be fixed by bug 319082.
Status: RESOLVED → REOPENED
Depends on: 319082
Resolution: WORKSFORME → ---
Whiteboard: [blocker will fix]
Assignee: user-accounts → LpSolit
Status: REOPENED → NEW
2.18 uses the login name, not the user ID. So this version is not affected.
Status: NEW → ASSIGNED
Whiteboard: [blocker will fix] → [doesn't affect 2.18][blocker will fix]
Not a security bug
Group: webtools-security
Fixed by blocker.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.