Note: There are a few cases of duplicates in user autocompletion which are being worked on.

[SECURITY] A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Creating/Changing Bugs
--
major
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

({regression})

3.1.3
Bugzilla 3.2
regression
Dependency tree / graph
Bug Flags:
blocking3.2 +

Details

(Whiteboard: [blocker will fix])

(Assignee)

Description

10 years ago
Bug->create() doesn't make sure that the bug status entered by the user is legal based on his privs. If votes to confirm > 0, then a user with no privs cannot choose the initial bug status; this one must be UNCONFIRMED. Either _check_bug_status() or create() itself should enforce this, maybe using something like:

  delete $params->{bug_status} unless $user->in_group('canconfirm', $product)
Flags: blocking3.2+

Comment 1

10 years ago
Have you actually tried this? _check_bug_status has code to explicitly prevent that--it always picks the default status if you're not in canconfirm or editbugs.
Group: webtools-security
(Assignee)

Comment 2

10 years ago
(In reply to comment #1)
> Have you actually tried this?

Of course I did, else I would have never noticed it. I have a plenty of bugs filed as ASSIGNED from powerless users. Note that the security flag is not needed here as we never mark bugs affecting development only as such.

Comment 3

10 years ago
(In reply to comment #2)
> Note that the security flag is not
> needed here as we never mark bugs affecting development only as such.

  We do, and we have, particularly if it affects a released development version.
(Assignee)

Updated

10 years ago
Assignee: create-and-change → LpSolit
(Assignee)

Updated

10 years ago
Depends on: 384009
Whiteboard: [blocker will fix]
(Assignee)

Comment 4

10 years ago
Fixed as part of bug 384009. Keeping the security flag till 3.1.4/3.2 RC1 is released.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Blocks: 425110
(Assignee)

Comment 5

9 years ago
This regression was introduced by bug 402791 in Bugzilla 3.1.3.
Depends on: 402791
Summary: A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC → [SECURITY] A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC
Version: 3.1.2 → 3.1.3

Comment 6

9 years ago
Security advisory sent, removing bugs from security group.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.