As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 577139 - (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not
(CVE-2010-2758)
: [SECURITY] request.cgi and duplicates.cgi let you know whether a product exis...
Status: RESOLVED FIXED
[4.0/4.2 fixed by bug 519835]
:
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 2.17.1
: All All
: -- minor (vote)
: Bugzilla 3.2
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on:
Blocks: 580214
  Show dependency treegraph
 
Reported: 2010-07-06 13:04 PDT by Frédéric Buclin
Modified: 2010-08-05 21:39 PDT (History)
2 users (show)
LpSolit: approval3.6+
LpSolit: blocking3.6.2+
LpSolit: approval3.4+
LpSolit: blocking3.4.8+
LpSolit: approval3.2+
LpSolit: blocking3.2.8+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 3.2 and 3.4, v1 (3.59 KB, patch)
2010-07-06 14:05 PDT, Frédéric Buclin
mkanat: review+
Details | Diff | Splinter Review
patch for 3.6, v1 (661 bytes, patch)
2010-07-07 03:59 PDT, Frédéric Buclin
mkanat: review+
Details | Diff | Splinter Review

Description User image Frédéric Buclin 2010-07-06 13:04:01 PDT
Bugzilla::Product::check_product() throws an error if you pass a product name which doesn't exist, letting the user know whether it's a valid product name or not.

This is going to be fixed in Bugzilla 4.2 as part of bug 519835.
Comment 1 User image Frédéric Buclin 2010-07-06 14:03:47 PDT
duplicates.cgi is also vulnerable, at least in 3.2.
Comment 2 User image Frédéric Buclin 2010-07-06 14:05:07 PDT
Created attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

Here is the patch for 3.2. I didn't want to create a new constant as it's for branches only.
Comment 3 User image Max Kanat-Alexander 2010-07-06 14:30:48 PDT
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

This looks right.

For newer branches you should just be able to use check().
Comment 4 User image Frédéric Buclin 2010-07-06 14:35:07 PDT
(In reply to comment #3)
> For newer branches you should just be able to use check().

For 3.6, I think so. But 3.4 has no custom check() method (which is needed to override the error message).
Comment 5 User image Max Kanat-Alexander 2010-07-06 15:11:32 PDT
(In reply to comment #4)
> For 3.6, I think so. But 3.4 has no custom check() method (which is needed to
> override the error message).

  Ah, okay.
Comment 6 User image Frédéric Buclin 2010-07-06 18:47:18 PDT
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

The same patch applies and works for 3.2 and 3.4.
Comment 7 User image Frédéric Buclin 2010-07-06 18:48:01 PDT
It will be ready on time for the next releases.
Comment 8 User image Frédéric Buclin 2010-07-06 19:15:28 PDT
I finally checked in bug 519835 in 4.0, so Bugzilla 3.7.3 doesn't need to be fixed in this bug. duplicates.cgi was already fixed since Bugzilla 3.6rc1 thanks to bug 514970.

Both request.cgi and duplicates.cgi were affected since Bugzilla 2.17.1.
Comment 9 User image Frédéric Buclin 2010-07-07 03:59:56 PDT
Created attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Bugzilla 3.6 has a custom check() method in Product.pm, which throws the appropriate error. So we can use it here.
Comment 10 User image Max Kanat-Alexander 2010-07-07 18:59:49 PDT
Comment on attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Yeah, obviously correct. :-)
Comment 11 User image Frédéric Buclin 2010-08-04 15:00:42 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified request.cgi
Committed revision 7159.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6773.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6394.
Comment 12 User image Max Kanat-Alexander 2010-08-05 21:39:57 PDT
Security advisory sent, unlocking bug.

Note You need to log in before you can comment on or make changes to this bug.