Closed
Bug 621108
Opened 14 years ago
Closed 14 years ago
[SECURITY] Creating/editing charts lacks CSRF protection
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.2
People
(Reporter: reed, Assigned: LpSolit)
References
Details
(Whiteboard: [infrasec:csrf][ws:moderate])
Attachments
(2 files, 1 obsolete file)
|
2.73 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
|
2.40 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
chart.cgi only supports tokens for deleting charts. Should also protect against unwanted chart creation/modification.
Comment 1•14 years ago
|
||
On the creating charts side, this is pretty minor. You'd be informed that you created a chart, and you'd just go delete it before it ever had a chance to gather data.
I suppose doing a CSRF on somebody and editing their charts would be a more significant annoyance.
Severity: normal → minor
| Assignee | ||
Updated•14 years ago
|
Assignee: charting → LpSolit
| Assignee | ||
Comment 2•14 years ago
|
||
Attachment #499880 -
Flags: review?(mkanat)
| Assignee | ||
Updated•14 years ago
|
Attachment #499880 -
Flags: review?(mkanat) → review?(dkl)
| Reporter | ||
Updated•14 years ago
|
Flags: blocking4.0?
Flags: blocking3.6.4?
Flags: blocking3.4.10?
Flags: blocking3.2.10?
Comment 3•14 years ago
|
||
Comment on attachment 499880 [details] [diff] [review]
patch for 3.6 - 4.1, v1
Looks good and works as expected. r=dkl
Attachment #499880 -
Flags: review?(dkl) → review+
Updated•14 years ago
|
Flags: approval?
Flags: approval4.0?
Updated•14 years ago
|
Flags: blocking4.0?
Flags: blocking4.0+
Flags: blocking3.6.4?
Flags: blocking3.6.4+
Flags: blocking3.4.10?
Flags: blocking3.4.10+
Flags: blocking3.2.10?
Flags: blocking3.2.10+
| Assignee | ||
Comment 4•14 years ago
|
||
Backport needed for 3.4 and 3.2. Looks like a minor conflict in a template.
Status: NEW → ASSIGNED
Flags: approval3.6?
| Assignee | ||
Comment 5•14 years ago
|
||
(In reply to comment #4)
> Looks like a minor conflict in a template.
err... in chart.cgi.
| Assignee | ||
Comment 6•14 years ago
|
||
It finally wasn't a minor conflict in chart.cgi. Bugzilla::Series objects in 3.4 and older have no ->id and ->name methods, and assertCanEdit() doesn't return a series object. This patch works for both 3.4 and 3.2.
Attachment #506149 -
Flags: review?(dkl)
| Reporter | ||
Comment 7•14 years ago
|
||
Comment on attachment 506149 [details] [diff] [review]
patch for 3.2 - 3.4, v1
>- my $series = new Bugzilla::Series($cgi);
>+ # We cannot use the $series objet below, because its name may have changed.
"object below, as its" (s/objet/object/ and s/because/as/)
| Assignee | ||
Comment 8•14 years ago
|
||
right, thanks!
Attachment #506149 -
Attachment is obsolete: true
Attachment #506152 -
Flags: review?(dkl)
Attachment #506149 -
Flags: review?(dkl)
| Assignee | ||
Updated•14 years ago
|
Attachment #499880 -
Attachment description: patch, v1 → patch for 3.6 - 4.1, v1
Comment 10•14 years ago
|
||
Comment on attachment 506152 [details] [diff] [review]
patch for 3.2 - 3.4, v1.1
Looks good and works as expected on 3.2/3.4
Attachment #506152 -
Flags: review?(dkl) → review+
Updated•14 years ago
|
Flags: approval3.4?
Flags: approval3.2?
| Assignee | ||
Updated•14 years ago
|
Flags: approval?
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval3.4?
Flags: approval3.4+
Flags: approval3.2?
Flags: approval3.2+
Flags: approval+
| Assignee | ||
Comment 11•14 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified chart.cgi
modified template/en/default/reports/edit-series.html.tmpl
modified template/en/default/search/search-create-series.html.tmpl
Committed revision 7669.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified chart.cgi
modified template/en/default/reports/edit-series.html.tmpl
modified template/en/default/search/search-create-series.html.tmpl
Committed revision 7526.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified chart.cgi
modified template/en/default/reports/edit-series.html.tmpl
modified template/en/default/search/search-create-series.html.tmpl
Committed revision 7221.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/
modified chart.cgi
modified template/en/default/reports/edit-series.html.tmpl
modified template/en/default/search/search-create-series.html.tmpl
Committed revision 6788.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/
modified chart.cgi
modified template/en/default/reports/edit-series.html.tmpl
modified template/en/default/search/search-create-series.html.tmpl
Committed revision 6409.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
| Assignee | ||
Comment 12•14 years ago
|
||
Security advisory sent. Removing the security flag.
Group: bugzilla-security
Updated•14 years ago
|
Whiteboard: [infrasec:csrf][ws:high] → [infrasec:csrf][ws:moderate]
You need to log in
before you can comment on or make changes to this bug.
Description
•