Closed Bug 415471 Opened 12 years ago Closed 12 years ago

[SECURITY] A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC

Categories

(Bugzilla :: Creating/Changing Bugs, defect, major)

3.1.3
defect
Not set
major

Tracking

()

RESOLVED FIXED
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: regression, Whiteboard: [blocker will fix])

Bug->create() doesn't make sure that the bug status entered by the user is legal based on his privs. If votes to confirm > 0, then a user with no privs cannot choose the initial bug status; this one must be UNCONFIRMED. Either _check_bug_status() or create() itself should enforce this, maybe using something like:

  delete $params->{bug_status} unless $user->in_group('canconfirm', $product)
Flags: blocking3.2+
Have you actually tried this? _check_bug_status has code to explicitly prevent that--it always picks the default status if you're not in canconfirm or editbugs.
Group: webtools-security
(In reply to comment #1)
> Have you actually tried this?

Of course I did, else I would have never noticed it. I have a plenty of bugs filed as ASSIGNED from powerless users. Note that the security flag is not needed here as we never mark bugs affecting development only as such.
(In reply to comment #2)
> Note that the security flag is not
> needed here as we never mark bugs affecting development only as such.

  We do, and we have, particularly if it affects a released development version.
Assignee: create-and-change → LpSolit
Depends on: 384009
Whiteboard: [blocker will fix]
Fixed as part of bug 384009. Keeping the security flag till 3.1.4/3.2 RC1 is released.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocks: 425110
This regression was introduced by bug 402791 in Bugzilla 3.1.3.
Depends on: 402791
Summary: A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC → [SECURITY] A user without canconfirm privs can enter bugs in the NEW/ASSIGNED status using XML-RPC
Version: 3.1.2 → 3.1.3
Security advisory sent, removing bugs from security group.
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.