Closed Bug 577139 (CVE-2010-2758) Opened 10 years ago Closed 10 years ago

[SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not

Categories

(Bugzilla :: Attachments & Requests, defect, minor)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.17.1
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Whiteboard: [4.0/4.2 fixed by bug 519835])

Attachments

(2 files)

patch for 3.2 and 3.4, v1
3.59 KB, patch
mkanat
: review+
Details | Diff | Splinter Review
patch for 3.6, v1
661 bytes, patch
mkanat
: review+
Details | Diff | Splinter Review 
Bugzilla::Product::check_product() throws an error if you pass a product name which doesn't exist, letting the user know whether it's a valid product name or not.

This is going to be fixed in Bugzilla 4.2 as part of bug 519835.
Severity: normal → minor
duplicates.cgi is also vulnerable, at least in 3.2.
Summary: [SECURITY] request.cgi lets you know whether a product exists or not → [SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not
Here is the patch for 3.2. I didn't want to create a new constant as it's for branches only.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #456194 - Flags: review?(mkanat)
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

This looks right.

For newer branches you should just be able to use check().
Attachment #456194 - Flags: review?(mkanat) → review+
(In reply to comment #3)
> For newer branches you should just be able to use check().

For 3.6, I think so. But 3.4 has no custom check() method (which is needed to override the error message).
(In reply to comment #4)
> For 3.6, I think so. But 3.4 has no custom check() method (which is needed to
> override the error message).

  Ah, okay.
Comment on attachment 456194 [details] [diff] [review]
patch for 3.2 and 3.4, v1

The same patch applies and works for 3.2 and 3.4.
Attachment #456194 - Attachment description: patch for 3.2, v1 → patch for 3.2 and 3.4, v1
It will be ready on time for the next releases.
Flags: blocking4.0+
Flags: blocking3.6.2+
Flags: blocking3.4.8+
Flags: blocking3.2.8+
Flags: approval3.4?
Flags: approval3.2?
I finally checked in bug 519835 in 4.0, so Bugzilla 3.7.3 doesn't need to be fixed in this bug. duplicates.cgi was already fixed since Bugzilla 3.6rc1 thanks to bug 514970.

Both request.cgi and duplicates.cgi were affected since Bugzilla 2.17.1.
Flags: blocking4.0+
Whiteboard: [4.0/4.2 fixed by bug 519835]
Version: 3.7 → 2.17.1
Bugzilla 3.6 has a custom check() method in Product.pm, which throws the appropriate error. So we can use it here.
Attachment #456259 - Flags: review?(mkanat)
Attachment #456259 - Flags: review?(mkanat) → review+
Comment on attachment 456259 [details] [diff] [review]
patch for 3.6, v1

Yeah, obviously correct. :-)
Flags: approval3.6?
Blocks: 580214
Alias: CVE-2010-2758
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified request.cgi
Committed revision 7159.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6773.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified duplicates.cgi
modified request.cgi
modified Bugzilla/Product.pm
Committed revision 6394.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Security advisory sent, unlocking bug.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.