show_activity.cgi doesn't check viewing permissions

RESOLVED FIXED in Bugzilla 2.14

Status

()

Bugzilla
Bugzilla-General
P3
normal
RESOLVED FIXED
18 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: myk)

Tracking

unspecified
Bugzilla 2.14
Other
Other

Details

(Whiteboard: security, URL)

Attachments

(3 attachments)

(Reporter)

Description

18 years ago
http://bugzilla.mozilla.org/show_bug.cgi?id=28698 gives "permission denied".
http://bugzilla.mozilla.org/show_activity.cgi?id=28698 is visible.
(Reporter)

Updated

17 years ago
Blocks: 66091
Whiteboard: 2.14

Updated

17 years ago
Whiteboard: 2.14 → 2.14, security
moving to real milestones...
Whiteboard: 2.14, security → security
Target Milestone: --- → Bugzilla 2.14
(Assignee)

Comment 2

17 years ago
Created attachment 36416 [details] [diff] [review]
patch to validate bug ID and check permissions to view bug
(Assignee)

Comment 3

17 years ago
Created attachment 36433 [details] [diff] [review]
patch that abstracts out bug ID validation
(Assignee)

Comment 4

17 years ago
This second patch puts most of the validation code into a separate function in
CGI.pl so it can be used by other scripts that need to do bug ID validation
(like bug 39524, bug 39527, etc.).
Assignee: tara → myk
Keywords: patch
The check for the user belonging to the product group is unnecessary.  That's 
included in the groupset on the bug itself.  It is possible to clear the product 
group bit on a bug that's in a product that has a group, and this would prevent 
people from seeing it then.
(Assignee)

Comment 6

16 years ago
Created attachment 36584 [details] [diff] [review]
patch w/o CGI.pl for installations that have already installed the patch for bug 39524
(Assignee)

Comment 7

16 years ago
accepting
Status: NEW → ASSIGNED
(Assignee)

Comment 8

16 years ago
Adding "review" keyword to get these on the radars of reviewers (if they aren't
already).
Keywords: review

Comment 9

16 years ago
r=jake
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

16 years ago
*** Bug 94476 has been marked as a duplicate of this bug. ***
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.