Last Comment Bug 674497 - (CVE-2011-2979) [SECURITY] Custom searches let you determine if a group exists or not
(CVE-2011-2979)
: [SECURITY] Custom searches let you determine if a group exists or not
Status: RESOLVED FIXED
: regression
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 4.1.1
: All All
: -- normal (vote)
: Bugzilla 4.2
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on: bz-search-args
Blocks: 660528
  Show dependency treegraph
 
Reported: 2011-07-27 04:26 PDT by Frédéric Buclin
Modified: 2011-09-24 05:47 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: blocking4.2+
LpSolit: testcase?
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (1.09 KB, patch)
2011-07-27 04:32 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2011-07-27 04:26:47 PDT
Regression due to bug 574556, i.e. since Bugzilla 4.1.1:

Run the two queries below:

1) Assignee is equal to %group.foo%
2) Assignee is equal to %group.canconfirm%

In Bugzilla 4.0.x and below, you get the same error message, independently of whether the group exists or not, to not leak this information, see bug 417048. But this regressed again in 4.1.1 as ValidateGroupName() has been replaced by Bugzilla::Group->check(), which throws an explicit error message if the group doesn't exist.
Comment 1 Frédéric Buclin 2011-07-27 04:32:34 PDT
Created attachment 548748 [details] [diff] [review]
patch, v1

Override the error message to match what happens when the user is not in the group, so that the error message is exactly the same in both cases.
Comment 2 Byron Jones ‹:glob› [PTO until 2016-10-10] 2011-07-27 04:37:23 PDT
Comment on attachment 548748 [details] [diff] [review]
patch, v1

r=glob
Comment 3 Frédéric Buclin 2011-07-27 04:51:05 PDT
We didn't branch yet. :)
Comment 4 Daniel Veditz [:dveditz] 2011-08-01 16:36:03 PDT
Use CVE-2011-2979 for this bug
Comment 5 Max Kanat-Alexander 2011-08-02 16:36:03 PDT
Comment on attachment 548748 [details] [diff] [review]
patch, v1

Review of attachment 548748 [details] [diff] [review]:
-----------------------------------------------------------------

::: Bugzilla/Search.pm
@@ +2007,4 @@
>      my $user = $self->_user;
>      
>      $value =~ /\%group\.([^%]+)%/;
> +    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });

Ah, we should have Bugzilla::Group->check_carefully. Could somebody please implement that?
Comment 6 Frédéric Buclin 2011-08-02 16:38:57 PDT
(In reply to comment #5)
> Ah, we should have Bugzilla::Group->check_carefully. Could somebody please
> implement that?

Not as part of this bug, no. :)
Comment 7 Frédéric Buclin 2011-08-04 13:54:52 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Search.pm
Committed revision 7892.
Comment 8 Max Kanat-Alexander 2011-08-05 17:33:25 PDT
Security advisory sent, unlocking this bug.

Note You need to log in before you can comment on or make changes to this bug.