Closed
Bug 621108
Opened 13 years ago
Closed 13 years ago
[SECURITY] Creating/editing charts lacks CSRF protection
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.2
People
(Reporter: reed, Assigned: LpSolit)
References
Details
(Whiteboard: [infrasec:csrf][ws:moderate])
Attachments
(2 files, 1 obsolete file)
2.73 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
2.40 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
chart.cgi only supports tokens for deleting charts. Should also protect against unwanted chart creation/modification.
Comment 1•13 years ago
|
||
On the creating charts side, this is pretty minor. You'd be informed that you created a chart, and you'd just go delete it before it ever had a chance to gather data. I suppose doing a CSRF on somebody and editing their charts would be a more significant annoyance.
Severity: normal → minor
Assignee | ||
Updated•13 years ago
|
Assignee: charting → LpSolit
Assignee | ||
Comment 2•13 years ago
|
||
Attachment #499880 -
Flags: review?(mkanat)
Assignee | ||
Updated•13 years ago
|
Attachment #499880 -
Flags: review?(mkanat) → review?(dkl)
Reporter | ||
Updated•13 years ago
|
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Comment 3•13 years ago
|
||
Comment on attachment 499880 [details] [diff] [review] patch for 3.6 - 4.1, v1 Looks good and works as expected. r=dkl
Attachment #499880 -
Flags: review?(dkl) → review+
Updated•13 years ago
|
Flags: approval?
Flags: approval4.0?
Updated•13 years ago
|
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
Assignee | ||
Comment 4•13 years ago
|
||
Backport needed for 3.4 and 3.2. Looks like a minor conflict in a template.
Status: NEW → ASSIGNED
Flags: approval3.6?
Assignee | ||
Comment 5•13 years ago
|
||
(In reply to comment #4) > Looks like a minor conflict in a template. err... in chart.cgi.
Assignee | ||
Comment 6•13 years ago
|
||
It finally wasn't a minor conflict in chart.cgi. Bugzilla::Series objects in 3.4 and older have no ->id and ->name methods, and assertCanEdit() doesn't return a series object. This patch works for both 3.4 and 3.2.
Attachment #506149 -
Flags: review?(dkl)
Reporter | ||
Comment 7•13 years ago
|
||
Comment on attachment 506149 [details] [diff] [review] patch for 3.2 - 3.4, v1 >- my $series = new Bugzilla::Series($cgi); >+ # We cannot use the $series objet below, because its name may have changed. "object below, as its" (s/objet/object/ and s/because/as/)
Assignee | ||
Comment 8•13 years ago
|
||
right, thanks!
Attachment #506149 -
Attachment is obsolete: true
Attachment #506152 -
Flags: review?(dkl)
Attachment #506149 -
Flags: review?(dkl)
Assignee | ||
Updated•13 years ago
|
Attachment #499880 -
Attachment description: patch, v1 → patch for 3.6 - 4.1, v1
Comment 10•13 years ago
|
||
Comment on attachment 506152 [details] [diff] [review] patch for 3.2 - 3.4, v1.1 Looks good and works as expected on 3.2/3.4
Attachment #506152 -
Flags: review?(dkl) → review+
Updated•13 years ago
|
Flags: approval3.4?
Flags: approval3.2?
Assignee | ||
Updated•13 years ago
|
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
Assignee | ||
Comment 11•13 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified chart.cgi modified template/en/default/reports/edit-series.html.tmpl modified template/en/default/search/search-create-series.html.tmpl Committed revision 7669. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified chart.cgi modified template/en/default/reports/edit-series.html.tmpl modified template/en/default/search/search-create-series.html.tmpl Committed revision 7526. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified chart.cgi modified template/en/default/reports/edit-series.html.tmpl modified template/en/default/search/search-create-series.html.tmpl Committed revision 7221. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/ modified chart.cgi modified template/en/default/reports/edit-series.html.tmpl modified template/en/default/search/search-create-series.html.tmpl Committed revision 6788. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/ modified chart.cgi modified template/en/default/reports/edit-series.html.tmpl modified template/en/default/search/search-create-series.html.tmpl Committed revision 6409.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•13 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Updated•13 years ago
|
Whiteboard: [infrasec:csrf][ws:high] → [infrasec:csrf][ws:moderate]
You need to log in
before you can comment on or make changes to this bug.
Description
•