Closed
Bug 532518
Opened 15 years ago
Closed 15 years ago
Credentials are not checked correctly when viewing one attachment from another bug's alternate host
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: mockodin, Assigned: LpSolit)
References
Details
Attachments
(2 files, 1 obsolete file)
|
1.53 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
|
3.24 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
Access Denied screen shot
If a user attempts to access an attachment for which they does not have permission to view the resulting error screen will display the Log In and Forgotten password links in the header and footer This can be see on the BMO site (version 3.4.4+) To replicate find an attachment you are denied access to and attempt to display it.
|
Assignee | |
Comment 1•15 years ago
|
||
Unless I miss something, I'm unable to reproduce this issue with 3.5.2 and 3.4.4. Do you have a URL?
|
Reporter | |
Comment 2•15 years ago
|
||
I attempted to view an attachment from irc, since I had a attachment already up I had just replaced the attach_id. What I failed to notice was the url itself had redirected originally to include the bug id at the beginning the url. Like this: https://bug<bugid>.bugzilla.mozilla.org/attachment.cgi?id=<attachmentid> I did not replace the bugid. So if the bug_id is left incorrect, but the attach id is change it will try and open the attach but throw the access denied error as it should and references the bug actually associated with the attachment. Which is where the screen shot came from on BMO. So in summary, this shouldn't occur under normal conditions but if someone manually enters the attachment id and has no permissions to view it they will get the incorrectly displayed page, though still correctly denying access. If the bug_id is also changed the page will display normally.
|
|
Assignee | |
Comment 3•15 years ago
|
||
Ah ok, I didn't try this testcase. Reopening for further testing when I have some time.
|
|
Assignee | |
Comment 4•15 years ago
|
||
I can reproduce the issue. I'm surprised attachment.cgi didn't redirect to correct_urlbase first before throwing the error.
Assignee: user-accounts → attach-and-request
Status: REOPENED → NEW
Component: User Accounts → Attachments & Requests
Keywords: qawanted
Whiteboard: DUPME?
|
|
Assignee | |
Comment 5•15 years ago
|
||
In bug 38862, I assumed that if you were not on the bug's alternate host, you were on the main host, from where we could safely check your credentials. This is a good assumption most of the time, except when each bug has its own host for attachments and you hack the URL to view one attachment from another bug's alternate host, as described in comment 2. In that case, we need to redirect you to the main host to check your credentials first. I don't think that's exploitable as the login form points to the main host, but I want to handle this edge-case correctly anyway for 3.4.x and tip.
Assignee: attach-and-request → LpSolit
Severity: trivial → normal
Status: NEW → ASSIGNED
Depends on: 38862
Flags: blocking3.6+
Summary: Attachment Access Denied page for displays user as being logged out → Credentials are not checked correctly when viewing one attachment from another bug's alternate host
Target Milestone: --- → Bugzilla 3.4
|
|
Assignee | |
Comment 6•15 years ago
|
||
As said in my previous comment, we need to redirect the user to the main host to check his credentials when the alternate host mismatches the expected host.
Attachment #415727 -
Attachment is obsolete: true
Attachment #419417 -
Flags: review?(mkanat)
|
||
Comment 7•15 years ago
|
||
Comment on attachment 419417 [details] [diff] [review] patch, v1 This logic is getting really confusing. Could we possibly reverse it all so that the viewing only happens in the $bug_id case? (That is, reverse all the if, elsif, else?) In any case, this looks OK.
Attachment #419417 -
Flags: review?(mkanat) → review+
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7) > that the viewing only happens in the $bug_id case? (That is, reverse all the > if, elsif, else?) An alternative I had in mind was: if (!$cgi->url_is_attachment_base($bug_id)) { if ($cgi->url_is_attachment_base) { $cgi->redirect_to_urlbase; } .... } else { .... } Does it look more understandable to you? Personally, I found it more confusing than my current patch.
Flags: approval3.4+
Flags: approval+
|
|
||
Comment 9•15 years ago
|
||
Yeah, I find that more confusing, too. I was thinking of making the very top condition "if ($cgi->url_is_attachment_base($bug_id)" and putting what's currently in the "else" into there, and then reversing the logic in general.
|
|
Assignee | |
Comment 10•15 years ago
|
||
Ah, I see. Hum, I'm not sure the benefit is real, though. :)
|
|
||
Comment 11•15 years ago
|
||
Yeah, I think it would help with readability, though. Usually negative conditions are hard to read and positive conditions are easy to read.
|
|
Assignee | |
Comment 12•15 years ago
|
||
Here is the patch with the logic reversed. That's the one I'm going to commit.
|
|
Assignee | |
Comment 13•15 years ago
|
||
The patch doesn't apply cleanly on the 3.4 branch as bug 523495 didn't land on this branch, and so $cgi->url_is_attachment_base is not available there. As this bug is not too severe, I'm only committing this patch for 3.6. Checking in attachment.cgi; /cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v <-- attachment.cgi new revision: 1.167; previous revision: 1.166 done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago → 15 years ago
Flags: approval3.4+
Resolution: --- → FIXED
Target Milestone: Bugzilla 3.4 → Bugzilla 3.6
|
|
||
Comment 14•15 years ago
|
||
Comment on attachment 419566 [details] [diff] [review] alternate patch (reversed logic), v1.1 That looks way better, thank you. :-)
Attachment #419566 -
Flags: review+
You need to log in
before you can comment on or make changes to this bug.
Description
•