Created attachment 267018 [details] [diff] [review] patch, v1 In Bugzilla 3.1 (3.0 and lower are not affected), you can set $cgi->param('dup_id') to a bug you cannot see and bypass security checks when not marking the current bug as a dupe. process_bug.cgi checks whether $duplicate is defined, and if yes (and with another condition I won't mention here), it will try to CC you to the bug you cannot see. Fortunately, there is a taint issue when trying to do so (because the validation routine is the one detaining the parameter, and if you bypass the validation check, your variable is still tainted, yay!) and the user is not CC'ed. My patch makes sure you cannot bypass the security checks.
Attachment #267018 - Flags: review?(justdave)
Comment on attachment 267018 [details] [diff] [review] patch, v1 Hurray for taint mode!
Attachment #267018 - Flags: review?(justdave) → review+
Checking in process_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v <-- process_bug.cgi new revision: 1.363; previous revision: 1.362 done
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.