As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 674497 - (CVE-2011-2979) [SECURITY] Custom searches let you determine if a group exists or not
(CVE-2011-2979)
: [SECURITY] Custom searches let you determine if a group exists or not
Status: RESOLVED FIXED
: regression
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 4.1.1
: All All
: -- normal (vote)
: Bugzilla 4.2
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on: bz-search-args
Blocks: 660528
  Show dependency treegraph
 
Reported: 2011-07-27 04:26 PDT by Frédéric Buclin
Modified: 2011-09-24 05:47 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: blocking4.2+
LpSolit: testcase?
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (1.09 KB, patch)
2011-07-27 04:32 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description User image Frédéric Buclin 2011-07-27 04:26:47 PDT
Regression due to bug 574556, i.e. since Bugzilla 4.1.1:

Run the two queries below:

1) Assignee is equal to %group.foo%
2) Assignee is equal to %group.canconfirm%

In Bugzilla 4.0.x and below, you get the same error message, independently of whether the group exists or not, to not leak this information, see bug 417048. But this regressed again in 4.1.1 as ValidateGroupName() has been replaced by Bugzilla::Group->check(), which throws an explicit error message if the group doesn't exist.
Comment 1 User image Frédéric Buclin 2011-07-27 04:32:34 PDT
Created attachment 548748 [details] [diff] [review]
patch, v1

Override the error message to match what happens when the user is not in the group, so that the error message is exactly the same in both cases.
Comment 2 User image Byron Jones ‹:glob› 2011-07-27 04:37:23 PDT
Comment on attachment 548748 [details] [diff] [review]
patch, v1

r=glob
Comment 3 User image Frédéric Buclin 2011-07-27 04:51:05 PDT
We didn't branch yet. :)
Comment 4 User image Daniel Veditz [:dveditz] 2011-08-01 16:36:03 PDT
Use CVE-2011-2979 for this bug
Comment 5 User image Max Kanat-Alexander 2011-08-02 16:36:03 PDT
Comment on attachment 548748 [details] [diff] [review]
patch, v1

Review of attachment 548748 [details] [diff] [review]:
-----------------------------------------------------------------

::: Bugzilla/Search.pm
@@ +2007,4 @@
>      my $user = $self->_user;
>      
>      $value =~ /\%group\.([^%]+)%/;
> +    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });

Ah, we should have Bugzilla::Group->check_carefully. Could somebody please implement that?
Comment 6 User image Frédéric Buclin 2011-08-02 16:38:57 PDT
(In reply to comment #5)
> Ah, we should have Bugzilla::Group->check_carefully. Could somebody please
> implement that?

Not as part of this bug, no. :)
Comment 7 User image Frédéric Buclin 2011-08-04 13:54:52 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Search.pm
Committed revision 7892.
Comment 8 User image Max Kanat-Alexander 2011-08-05 17:33:25 PDT
Security advisory sent, unlocking this bug.

Note You need to log in before you can comment on or make changes to this bug.