Closed
Bug 455099
Opened 16 years ago
Closed 16 years ago
Some methods in Search.pm use the wrong user object to check privs
Categories
(Bugzilla :: Whining, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.2
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(2 files)
4.51 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
4.56 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
You can pass {user => $some_user} to |new Bugzilla::Search| to get a buglist for that user, but some methods in Search.pm have Bugzilla->user hardcoded, instead of $self->{'user'}, which means some validation checks are made against the wrong user. This is currently problematic when executing whine.pl and collectstats.pl as Bugzilla->user is the default user object, which has no privs at all. This means they miss everything which is restricted to the insider group and the timetracking group.
The other way could also happen, despite nothing in our core code is affected (but custom code could be): if the one calling Bugzilla::Search has more privs than the user who will receive whine mail, he would get data he shouldn't normally get.
Attachment #338412 -
Flags: review?(mkanat)
Comment 1•16 years ago
|
||
Comment on attachment 338412 [details] [diff] [review]
patch for tip, v1
Why don't we just call set_user in whine.pl?
Assignee | ||
Comment 2•16 years ago
|
||
Because the code in Search.pm, collectstats.pl and whine.pl is much older than the implementation of set_user, which appeared with email_in.pl in 3.0.
Assignee | ||
Comment 3•16 years ago
|
||
Moreover, I suppose you don't want to use Bugzilla->set_user when already running the script as "you" (or you would call ->set_user all the time to reset the user back to you).
Comment 4•16 years ago
|
||
Well, it's just that there's lots of code in Bugzilla that uses Bugzilla->user, and who *knows* what kind of subroutines or methods we might call from inside Bugzilla::Search now or in the future.
I think for HEAD, the best solution is to use Bugzilla->set_user.
For the branch, we should do what you're doing here, which is make it use $self->{'user'}.
Updated•16 years ago
|
Attachment #338412 -
Flags: review?(mkanat) → review+
Comment 5•16 years ago
|
||
Comment on attachment 338412 [details] [diff] [review]
patch for tip, v1
This looks fine, though.
Assignee | ||
Comment 6•16 years ago
|
||
(In reply to comment #4)
> I think for HEAD, the best solution is to use Bugzilla->set_user.
No. If you do that, I think you can sudo everybody. All you have to do is to create a whine which uses a query with an invalid date, and ThrowUserError will throw an error before Bugzilla->set_user has been set back to its initial value, and you are now logged in as the other user.
Comment 7•16 years ago
|
||
(In reply to comment #6)
> No. If you do that, I think you can sudo everybody. All you have to do is to
> create a whine which uses a query with an invalid date, and ThrowUserError will
> throw an error before Bugzilla->set_user has been set back to its initial
> value, and you are now logged in as the other user.
Oh, I see, we have whines that send to other users, right.
Assignee | ||
Comment 8•16 years ago
|
||
Backport for 3.2. $user->is_timetracker doesn't exist in 3.2. No other change.
Attachment #338524 -
Flags: review?(mkanat)
Updated•16 years ago
|
Attachment #338524 -
Flags: review?(mkanat) → review+
Assignee | ||
Updated•16 years ago
|
Flags: approval3.2+
Flags: approval+
Assignee | ||
Comment 9•16 years ago
|
||
tip:
Checking in Bugzilla/Search.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Search.pm,v <-- Search.pm
new revision: 1.163; previous revision: 1.162
done
3.2rc1:
Checking in Bugzilla/Search.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Search.pm,v <-- Search.pm
new revision: 1.159.2.3; previous revision: 1.159.2.2
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•