CGI.pl's $::buffer should contain neither Bugzilla_login nor Bugzilla_password

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
13 years ago
10 years ago

People

(Reporter: Wurblzap, Unassigned)

Tracking

Bug Flags:
blocking2.18.6 -

Details

(Reporter)

Description

13 years ago
This doesn't affect HEAD because CGI.pl doesn't exist there any more. I checked with 2.20-BRANCH, and I assume 2.18-BRANCH to be affected, too.

CGI files using $::buffer may end up generating GET forms or URIs containing a user's login and password, thus potentially disclosing it in the web server's log. The fix to bug 287436 covers this only if "Bugzilla->login" happens before "require CGI.pl".

Steps to reproduce:
o Switch the requirelogin parameter on
o Bring up query.cgi and prepare a query which will result in at least one hit
o Get logged out because you're behind a rotating proxy (you can simulate by
  logging out manually in a separate window)
o Press the Search button on the query form (because you're logged out now,
  you'll be asked to log in; do it)
o Press any column header (for sorting)

Actual result:
The column header URIs contain login and password.

Expected result:
All links Bugzilla puts on a page should be stripped of authentification data.
(Reporter)

Comment 1

13 years ago
In fact, this may affect HEAD, too, in places where $cgi->query_string() is accessed (and buffered) before Bugzilla->login happens. Both buglist.cgi and report.cgi do this, but luckily, they seem not to dole it out again (at least I couldn't make them to).
(Reporter)

Updated

13 years ago
Flags: blocking2.18.6?
We're so close to release now, and this bug doesn't have a patch on it at the moment.

It sounds like we need to move Bugzilla->login before the CGI.pl requirement, if possible, and that should just fix it.

If we have a 2.18.7, I'd be totally willing to block *that* on this, but I don't want to block all our releases, which we want to start QA on in a few days, on this bug with no patch.
Flags: blocking2.18.6? → blocking2.18.6-

Updated

12 years ago
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security

Comment 3

10 years ago
Marc, is this bug still relevant? 2.20 is no longer supported and 2.22 and newer do not have CGI.pl anymore. Also, do we have any evidence of the problem reported in comment 0?
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
(Reporter)

Comment 4

10 years ago
Yeah, it seems this one outlived itself. I'm a little worried about comment 1, though. Is there someone who has enough time at hand to look into this systematically?

Comment 5

10 years ago
I cannot reproduce in Bugzilla 3.0.8 and newer. Bugzilla 2.x is no longer supported.
Group: bugzilla-security
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
Target Milestone: Bugzilla 2.22 → ---
You need to log in before you can comment on or make changes to this bug.