$duplicate can be set even when not marking a bug as a dupe (security check bypass)

RESOLVED FIXED in Bugzilla 3.2

Status

()

RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: LpSolit, Assigned: LpSolit)

Tracking

({regression})

Bugzilla 3.2
regression
Bug Flags:
approval +

Details

Attachments

(1 attachment)

(Assignee)

Description

12 years ago
Created attachment 267018 [details] [diff] [review]
patch, v1

In Bugzilla 3.1 (3.0 and lower are not affected), you can set $cgi->param('dup_id') to a bug you cannot see and bypass security checks when not marking the current bug as a dupe. process_bug.cgi checks whether $duplicate is defined, and if yes (and with another condition I won't mention here), it will try to CC you to the bug you cannot see. Fortunately, there is a taint issue when trying to do so (because the validation routine is the one detaining the parameter, and if you bypass the validation check, your variable is still tainted, yay!) and the user is not CC'ed.

My patch makes sure you cannot bypass the security checks.
Attachment #267018 - Flags: review?(justdave)
Comment on attachment 267018 [details] [diff] [review]
patch, v1

Hurray for taint mode!
Attachment #267018 - Flags: review?(justdave) → review+
(Assignee)

Updated

12 years ago
Flags: approval+
(Assignee)

Comment 2

12 years ago
Checking in process_bug.cgi;
/cvsroot/mozilla/webtools/bugzilla/process_bug.cgi,v  <--  process_bug.cgi
new revision: 1.363; previous revision: 1.362
done
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.