Closed
Bug 346564
Opened 18 years ago
Closed 18 years ago
[SECURITY] timetracking deadline leaks in XML
Categories
(Bugzilla :: Bug Import/Export & Moving, defect)
Tracking
()
VERIFIED
FIXED
Bugzilla 2.20
People
(Reporter: timeless, Assigned: bugzilla-mozilla)
References
()
Details
(Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3])
Attachments
(2 files)
|
571 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
|
559 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
|
||
Comment 1•18 years ago
|
||
The reason is that Bug.pm shows these fields by default:
if (Param('timetrackinggroup')) {
push @fields, qw(estimated_time remaining_time actual_time deadline);
}
But show_bug.cgi incorrectly excludes them when the user is not in the timetracking group:
unless (UserInGroup(Param("timetrackinggroup"))) {
@fieldlist = grep($_ !~ /_time$/, @fieldlist);
}
The first 3 fields are excluded, but deadline doesn't match the regexp.
Group: webtools-security
Component: User Interface → Bug Import/Export & Moving
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
Version: 2.23 → 2.18.5
|
|
||
Comment 2•18 years ago
|
||
The fix is not too hard and would prevent confidential data from being displayed. Requesting blocking.
Flags: blocking2.22.1?
Flags: blocking2.20.3?
Flags: blocking2.18.6?
|
Assignee | |
Updated•18 years ago
|
Assignee: ui → bugzilla-mozilla
|
|
Assignee | |
Comment 3•18 years ago
|
||
Deadline is new to Bugzilla 2.20, see bug 103636. Fixing this for 2.18 would be hard ;) Cancelling blocking2.18.6.
Status: NEW → ASSIGNED
Flags: blocking2.18.6?
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Version: 2.18.5 → 2.20.1
|
|
||
Comment 4•18 years ago
|
||
As bkor is working on it, there is a good chance to have it ready for our next set of releases.
Blocks: 346525
|
||
Updated•18 years ago
|
Flags: blocking2.22.1?
Flags: blocking2.22.1+
Flags: blocking2.20.3?
Flags: blocking2.20.3+
|
|
Assignee | |
Comment 5•18 years ago
|
||
Found no other unfiled code that leaked the timetracking fields (in any of the Bugzilla versions). Did wonder a bit about percentage_complete and show_bug.cgi, but that field seems to be buglist.cgi only.
Attachment #237541 -
Flags: review?(LpSolit)
|
|
||
Comment 6•18 years ago
|
||
Comment on attachment 237541 [details] [diff] [review] Patch v1 r=LpSolit
Attachment #237541 -
Flags: review?(LpSolit) → review+
|
|
Assignee | |
Comment 7•18 years ago
|
||
Attachment #237613 -
Flags: review?(LpSolit)
|
|
||
Comment 8•18 years ago
|
||
Comment on attachment 237613 [details] [diff] [review] Backport for 2.20 and 2.22 r=LpSolit
Attachment #237613 -
Flags: review?(LpSolit) → review+
|
|
||
Updated•18 years ago
|
Flags: approval?
Flags: approval2.22?
Flags: approval2.20?
Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3]
|
|
||
Comment 9•18 years ago
|
||
Deadline was first introduced in 2.19.2, so that's when this bug dates back to.
Version: 2.20.1 → 2.19.2
|
||
Updated•18 years ago
|
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
|
|
||
Comment 10•18 years ago
|
||
tip: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.49; previous revision: 1.48 done 2.22: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.38.2.1; previous revision: 1.38 done 2.20: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.32.4.2; previous revision: 1.32.4.1 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Summary: timetracking deadline leaks in xml → [SECURITY] timetracking deadline leaks in XML
|
|
||
Comment 11•18 years ago
|
||
Security Advisory has been sent, so this bug is no longer private.
Group: webtools-security
You need to log in
before you can comment on or make changes to this bug.
Description
•