[SECURITY] timetracking deadline leaks in XML

VERIFIED FIXED in Bugzilla 2.20

Status

()

defect
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: timeless, Assigned: bugzilla-mozilla)

Tracking

2.19.2
Bugzilla 2.20
Dependency tree / graph
Bug Flags:
approval +
approval2.22 +
blocking2.22.1 +
approval2.20 +
blocking2.20.3 +

Details

(Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3], )

Attachments

(2 attachments)

 
The reason is that Bug.pm shows these fields by default:

    if (Param('timetrackinggroup')) {
        push @fields, qw(estimated_time remaining_time actual_time deadline);
    }


But show_bug.cgi incorrectly excludes them when the user is not in the timetracking group:

unless (UserInGroup(Param("timetrackinggroup"))) {
    @fieldlist = grep($_ !~ /_time$/, @fieldlist);
}

The first 3 fields are excluded, but deadline doesn't match the regexp.
Group: webtools-security
Component: User Interface → Bug Import/Export & Moving
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
Version: 2.23 → 2.18.5
The fix is not too hard and would prevent confidential data from being displayed. Requesting blocking.
Flags: blocking2.22.1?
Flags: blocking2.20.3?
Flags: blocking2.18.6?
Assignee: ui → bugzilla-mozilla
Deadline is new to Bugzilla 2.20, see bug 103636. Fixing this for 2.18 would be hard ;)

Cancelling blocking2.18.6.
Status: NEW → ASSIGNED
Flags: blocking2.18.6?
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Version: 2.18.5 → 2.20.1
As bkor is working on it, there is a good chance to have it ready for our next set of releases.
Blocks: 346525
Flags: blocking2.22.1?
Flags: blocking2.22.1+
Flags: blocking2.20.3?
Flags: blocking2.20.3+
Posted patch Patch v1Splinter Review
Found no other unfiled code that leaked the timetracking fields (in any of the Bugzilla versions). Did wonder a bit about percentage_complete and show_bug.cgi, but that field seems to be buglist.cgi only.
Attachment #237541 - Flags: review?(LpSolit)
Comment on attachment 237541 [details] [diff] [review]
Patch v1

r=LpSolit
Attachment #237541 - Flags: review?(LpSolit) → review+
Attachment #237613 - Flags: review?(LpSolit)
Comment on attachment 237613 [details] [diff] [review]
Backport for 2.20 and 2.22

r=LpSolit
Attachment #237613 - Flags: review?(LpSolit) → review+
Flags: approval?
Flags: approval2.22?
Flags: approval2.20?
Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3]
Deadline was first introduced in 2.19.2, so that's when this bug dates back to.
Version: 2.20.1 → 2.19.2
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
tip:

Checking in show_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v  <--  show_bug.cgi
new revision: 1.49; previous revision: 1.48
done


2.22:

Checking in show_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v  <--  show_bug.cgi
new revision: 1.38.2.1; previous revision: 1.38
done


2.20:

Checking in show_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v  <--  show_bug.cgi
new revision: 1.32.4.2; previous revision: 1.32.4.1
done
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Summary: timetracking deadline leaks in xml → [SECURITY] timetracking deadline leaks in XML
Security Advisory has been sent, so this bug is no longer private.
Group: webtools-security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.