Bug 731178 (CVE-2012-4199)

[SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see

RESOLVED FIXED in Bugzilla 3.6

Status

()

Bugzilla
Creating/Changing Bugs
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

3.3.4
Bugzilla 3.6
Dependency tree / graph
Bug Flags:
approval +
approval4.4 +
blocking4.4 +
approval4.2 +
blocking4.2.4 +
approval4.0 +
blocking4.0.9 +
approval3.6 +
blocking3.6.12 +

Details

Attachments

(4 attachments, 1 obsolete attachment)

(Assignee)

Description

6 years ago
If a custom field visibility is controlled by a product or a component of a product you cannot see, their names are displayed in the JS code generated by field-events.js.tmpl:

showFieldWhen('cf_audience', 'component', [ 'very_secret_component' ]);

The UI itself has no reference to this component, but looking at the source code of the page discloses this information. I'm not sure since when this problem exists. This template exists since Bugzilla 3.4, see bug 308253, but maybe this problem has been introduced later. We would have to check.

This bug will probably be fixed by bug 695514 for trunk (and 4.2, if there is a valuable perf win).
(Assignee)

Comment 1

5 years ago
I checked, and Bugzilla 3.6 and newer are all affected. Bug 695514 fixed the problem only partially. Products you cannot see are still listed in the JS code if a custom field visibility depends on them.
(Assignee)

Updated

5 years ago
Flags: blocking4.4+
(Assignee)

Comment 2

5 years ago
I have a patch almost ready. Taking!
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
(Assignee)

Comment 3

5 years ago
Created attachment 672114 [details] [diff] [review]
patch for 4.4 + trunk, v1

There is no need to do anything for showValueWhen() as it only uses IDs, not names. The patch also hides classifications for logged out users as this code is totally useless and never called (this is not strictly related to this bug, but I think it's fine for 4.4 + trunk). As a side-effect, this also fixes bug 667150.
Attachment #672114 - Flags: review?(glob)
(Assignee)

Updated

5 years ago
Blocks: 667150
(Assignee)

Updated

5 years ago
Flags: blocking4.2.4+
Flags: blocking4.0.9+
Flags: blocking3.6.12+
Summary: field-events.js.tmpl discloses product and component names that the user is not allowed to see → [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
(Assignee)

Comment 4

5 years ago
Created attachment 672251 [details] [diff] [review]
patch for 4.4 + trunk, v1.1

This makes the code a bit faster on installations with many products as I now pass the product object to can_enter_product() instead of its name only. This way, can_enter_product() doesn't need to recreate the product object again. It can uses the given one directly, meaning that this method doesn't need to call the DB again and again (the list of enterable products is cached the first time can_enter_product() is called).
Attachment #672114 - Attachment is obsolete: true
Attachment #672114 - Flags: review?(glob)
Attachment #672251 - Flags: review?(glob)
(Assignee)

Updated

5 years ago
Attachment #672251 - Flags: review?(dkl)
Comment on attachment 672251 [details] [diff] [review]
patch for 4.4 + trunk, v1.1

Review of attachment 672251 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine and works as expected. I still do not like the fact that the private custom field (field that becomes visible when private product/component is selected) is always in the HTML whether the user can access the product/component or not. This could basically give away sensitive information from a field associated with a private product. But that is a matter for a different bug/discussion. r=dkl
Attachment #672251 - Flags: review?(dkl) → review+

Updated

5 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?
Flags: approval3.6?
(Assignee)

Updated

5 years ago
Attachment #672251 - Flags: review?(glob)
(Assignee)

Comment 6

5 years ago
Created attachment 675225 [details] [diff] [review]
patch for 4.2.x, v1

Backport for 4.2. The only difference is a tiny bitrot in the first block of edit.html.tmpl. No functionality change. I still hide classifications from logged out users.
Attachment #675225 - Flags: review?(dkl)
Comment on attachment 675225 [details] [diff] [review]
patch for 4.2.x, v1

Review of attachment 675225 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #675225 - Flags: review?(dkl) → review+
(Assignee)

Comment 8

5 years ago
Created attachment 675309 [details] [diff] [review]
patch for 4.0.x, v1

Backport for 4.0. This time, I leave all_classifications alone to have minimal changes for this branch.
Attachment #675309 - Flags: review?(dkl)
(Assignee)

Comment 9

5 years ago
Created attachment 675326 [details] [diff] [review]
patch for 3.6.x, v1

Backport for 3.6. In 3.6, it's not possible to use classifications or components to restrict the visibility of fields, so this makes the patch simpler.
Attachment #675326 - Flags: review?(dkl)
(Assignee)

Updated

5 years ago
Blocks: 805640
Comment on attachment 675309 [details] [diff] [review]
patch for 4.0.x, v1

r=dkl
Attachment #675309 - Flags: review?(dkl) → review+
Comment on attachment 675326 [details] [diff] [review]
patch for 3.6.x, v1

Review of attachment 675326 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #675326 - Flags: review?(dkl) → review+
Alias: CVE-2012-4199
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
(Assignee)

Comment 12

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8466.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8451.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8165.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/bug/field-events.js.tmpl
modified template/en/default/bug/field.html.tmpl
modified template/en/default/bug/create/create.html.tmpl
Committed revision 7731.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/bug/field-events.js.tmpl
modified template/en/default/bug/field.html.tmpl
Committed revision 7305.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Depends on: 371995
Version: 4.3 → 3.3.4
(Assignee)

Comment 13

5 years ago
Security advisory sent. Removing the security flag.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.