Closed Bug 674497 (CVE-2011-2979) Opened 14 years ago Closed 13 years ago

[SECURITY] Custom searches let you determine if a group exists or not

Categories

(Bugzilla :: Query/Bug List, defect)

Product:
Bugzilla
Component:
Query/Bug List
Version:
4.1.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.2

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: regression)

Attachments

(1 file)

patch, v1
1.09 KB, patch
glob
: review+
Details | Diff | Splinter Review
Regression due to bug 574556, i.e. since Bugzilla 4.1.1: Run the two queries below: 1) Assignee is equal to %group.foo% 2) Assignee is equal to %group.canconfirm% In Bugzilla 4.0.x and below, you get the same error message, independently of whether the group exists or not, to not leak this information, see bug 417048. But this regressed again in 4.1.1 as ValidateGroupName() has been replaced by Bugzilla::Group->check(), which throws an explicit error message if the group doesn't exist.
Flags: blocking4.2+
Attached patch patch, v1Splinter Review
Override the error message to match what happens when the user is not in the group, so that the error message is exactly the same in both cases.
Attachment #548748 - Flags: review?(glob)
Summary: Custom searches let you determine if a group exists or not → [SECURITY] Custom searches let you determine if a group exists or not
Comment on attachment 548748 [details] [diff] [review] patch, v1 r=glob
Attachment #548748 - Flags: review?(glob) → review+
Flags: approval?
Flags: approval4.2?
We didn't branch yet. :)
Flags: approval4.2?
Use CVE-2011-2979 for this bug
Alias: CVE-2011-2979
Comment on attachment 548748 [details] [diff] [review] patch, v1 Review of attachment 548748 [details] [diff] [review]: ----------------------------------------------------------------- ::: Bugzilla/Search.pm @@ +2007,4 @@ > my $user = $self->_user; > > $value =~ /\%group\.([^%]+)%/; > + my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' }); Ah, we should have Bugzilla::Group->check_carefully. Could somebody please implement that?
(In reply to comment #5) > Ah, we should have Bugzilla::Group->check_carefully. Could somebody please > implement that? Not as part of this bug, no. :)
Flags: approval? → approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/Search.pm Committed revision 7892.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Security advisory sent, unlocking this bug.
Group: bugzilla-security
Flags: testcase?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: