Bug 674497 (CVE-2011-2979)

[SECURITY] Custom searches let you determine if a group exists or not

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
Query/Bug List
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

({regression})

4.1.1
Bugzilla 4.2
regression
Dependency tree / graph
Bug Flags:
approval +
blocking4.2 +
testcase ?

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Regression due to bug 574556, i.e. since Bugzilla 4.1.1:

Run the two queries below:

1) Assignee is equal to %group.foo%
2) Assignee is equal to %group.canconfirm%

In Bugzilla 4.0.x and below, you get the same error message, independently of whether the group exists or not, to not leak this information, see bug 417048. But this regressed again in 4.1.1 as ValidateGroupName() has been replaced by Bugzilla::Group->check(), which throws an explicit error message if the group doesn't exist.
Flags: blocking4.2+
(Assignee)

Comment 1

6 years ago
Created attachment 548748 [details] [diff] [review]
patch, v1

Override the error message to match what happens when the user is not in the group, so that the error message is exactly the same in both cases.
Attachment #548748 - Flags: review?(glob)
(Assignee)

Updated

6 years ago
Summary: Custom searches let you determine if a group exists or not → [SECURITY] Custom searches let you determine if a group exists or not
Comment on attachment 548748 [details] [diff] [review]
patch, v1

r=glob
Attachment #548748 - Flags: review?(glob) → review+
Flags: approval?
Flags: approval4.2?
(Assignee)

Comment 3

6 years ago
We didn't branch yet. :)
Flags: approval4.2?
Use CVE-2011-2979 for this bug
Alias: CVE-2011-2979

Comment 5

6 years ago
Comment on attachment 548748 [details] [diff] [review]
patch, v1

Review of attachment 548748 [details] [diff] [review]:
-----------------------------------------------------------------

::: Bugzilla/Search.pm
@@ +2007,4 @@
>      my $user = $self->_user;
>      
>      $value =~ /\%group\.([^%]+)%/;
> +    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });

Ah, we should have Bugzilla::Group->check_carefully. Could somebody please implement that?
(Assignee)

Comment 6

6 years ago
(In reply to comment #5)
> Ah, we should have Bugzilla::Group->check_carefully. Could somebody please
> implement that?

Not as part of this bug, no. :)
(Assignee)

Updated

6 years ago
Flags: approval? → approval+
(Assignee)

Comment 7

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Search.pm
Committed revision 7892.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 8

6 years ago
Security advisory sent, unlocking this bug.
Group: bugzilla-security
(Assignee)

Updated

6 years ago
Flags: testcase?
You need to log in before you can comment on or make changes to this bug.