Closed Bug 348397 Opened 18 years ago Closed 14 years ago

Bugzilla::Bug::AUTOLOAD is not affected by $self->{error}

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
2.23
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mkanat, Unassigned)

References

(Depends on 1 open bug)

Details

I'm filing this initially as a security bug until we make sure that it doesn't have any negative security effects.

Basically, at one point we made all of Bugzilla::Bug's subroutines check $self->{error}, and return an "empty" value if it was set.

However, we forgot to fix the AUTOLOAD. It's a simple fix, but I wanted to see if we need to backport this, or if changing it will have bad effects somewhere else.
I think we were safe till now because if the user couldn't see the bug, all $bug->{'foo'} were empty, and so $bug->foo would return an empty string too. So bug 348057 could only introduce potential security risks on trunk only. All branches are safe IMO.
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
Depends on: 509734
Bugzilla 3.0 is EOL. We will retarget this bug when it's fixed.
Target Milestone: Bugzilla 3.0 → ---
i suspect bug 600123 has rendered this bug invalid.
(In reply to comment #3)
> i suspect bug 600123 has rendered this bug invalid.

Problem is that security sensitive bugs affect all supported branches. But we never had any evidence that this was a problem, so I would agree to close this bug as WFM or WONTFIX.
It's basically still true, because the added accessors don't respect {error}. But I'm also not aware of any security situation caused by this at the moment, and so I think it's reasonable to WONTFIX it.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.