Closed Bug 382974 Opened 18 years ago Closed 18 years ago

$duplicate can be set even when not marking a bug as a dupe (security check bypass)

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: regression)

Attachments

(1 file)

patch, v1
772 bytes, patch
justdave
: review+
Details | Diff | Splinter Review
Attached patch patch, v1Splinter Review
In Bugzilla 3.1 (3.0 and lower are not affected), you can set $cgi->param('dup_id') to a bug you cannot see and bypass security checks when not marking the current bug as a dupe. process_bug.cgi checks whether $duplicate is defined, and if yes (and with another condition I won't mention here), it will try to CC you to the bug you cannot see. Fortunately, there is a taint issue when trying to do so (because the validation routine is the one detaining the parameter, and if you bypass the validation check, your variable is still tainted, yay!) and the user is not CC'ed. My patch makes sure you cannot bypass the security checks.
Attachment #267018 - Flags: review?(justdave)
Comment on attachment 267018 [details] [diff] [review] patch, v1 Hurray for taint mode!
Attachment #267018 - Flags: review?(justdave) → review+
Flags: approval+
Checking in process_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v <-- process_bug.cgi new revision: 1.363; previous revision: 1.362 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: