Last Comment Bug 731178 - (CVE-2012-4199) [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
(CVE-2012-4199)
: [SECURITY] field-events.js.tmpl discloses product and component names that th...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 3.3.4
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on: 371995
Blocks: 667150 805640
  Show dependency treegraph
 
Reported: 2012-02-28 05:55 PST by Frédéric Buclin
Modified: 2012-11-14 04:30 PST (History)
4 users (show)
LpSolit: approval+
LpSolit: approval4.4+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.4+
LpSolit: approval4.0+
LpSolit: blocking4.0.9+
LpSolit: approval3.6+
LpSolit: blocking3.6.12+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch for 4.4 + trunk, v1 (2.62 KB, patch)
2012-10-16 18:07 PDT, Frédéric Buclin
no flags Details | Diff | Review
patch for 4.4 + trunk, v1.1 (2.62 KB, patch)
2012-10-17 04:44 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review
patch for 4.2.x, v1 (2.25 KB, patch)
2012-10-25 11:34 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review
patch for 4.0.x, v1 (2.09 KB, patch)
2012-10-25 14:48 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review
patch for 3.6.x, v1 (1.51 KB, patch)
2012-10-25 15:11 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Review

Description Frédéric Buclin 2012-02-28 05:55:31 PST
If a custom field visibility is controlled by a product or a component of a product you cannot see, their names are displayed in the JS code generated by field-events.js.tmpl:

showFieldWhen('cf_audience', 'component', [ 'very_secret_component' ]);

The UI itself has no reference to this component, but looking at the source code of the page discloses this information. I'm not sure since when this problem exists. This template exists since Bugzilla 3.4, see bug 308253, but maybe this problem has been introduced later. We would have to check.

This bug will probably be fixed by bug 695514 for trunk (and 4.2, if there is a valuable perf win).
Comment 1 Frédéric Buclin 2012-08-04 05:49:10 PDT
I checked, and Bugzilla 3.6 and newer are all affected. Bug 695514 fixed the problem only partially. Products you cannot see are still listed in the JS code if a custom field visibility depends on them.
Comment 2 Frédéric Buclin 2012-10-16 17:44:25 PDT
I have a patch almost ready. Taking!
Comment 3 Frédéric Buclin 2012-10-16 18:07:49 PDT
Created attachment 672114 [details] [diff] [review]
patch for 4.4 + trunk, v1

There is no need to do anything for showValueWhen() as it only uses IDs, not names. The patch also hides classifications for logged out users as this code is totally useless and never called (this is not strictly related to this bug, but I think it's fine for 4.4 + trunk). As a side-effect, this also fixes bug 667150.
Comment 4 Frédéric Buclin 2012-10-17 04:44:23 PDT
Created attachment 672251 [details] [diff] [review]
patch for 4.4 + trunk, v1.1

This makes the code a bit faster on installations with many products as I now pass the product object to can_enter_product() instead of its name only. This way, can_enter_product() doesn't need to recreate the product object again. It can uses the given one directly, meaning that this method doesn't need to call the DB again and again (the list of enterable products is cached the first time can_enter_product() is called).
Comment 5 David Lawrence [:dkl] 2012-10-22 07:41:12 PDT
Comment on attachment 672251 [details] [diff] [review]
patch for 4.4 + trunk, v1.1

Review of attachment 672251 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine and works as expected. I still do not like the fact that the private custom field (field that becomes visible when private product/component is selected) is always in the HTML whether the user can access the product/component or not. This could basically give away sensitive information from a field associated with a private product. But that is a matter for a different bug/discussion. r=dkl
Comment 6 Frédéric Buclin 2012-10-25 11:34:07 PDT
Created attachment 675225 [details] [diff] [review]
patch for 4.2.x, v1

Backport for 4.2. The only difference is a tiny bitrot in the first block of edit.html.tmpl. No functionality change. I still hide classifications from logged out users.
Comment 7 David Lawrence [:dkl] 2012-10-25 14:30:55 PDT
Comment on attachment 675225 [details] [diff] [review]
patch for 4.2.x, v1

Review of attachment 675225 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 8 Frédéric Buclin 2012-10-25 14:48:11 PDT
Created attachment 675309 [details] [diff] [review]
patch for 4.0.x, v1

Backport for 4.0. This time, I leave all_classifications alone to have minimal changes for this branch.
Comment 9 Frédéric Buclin 2012-10-25 15:11:48 PDT
Created attachment 675326 [details] [diff] [review]
patch for 3.6.x, v1

Backport for 3.6. In 3.6, it's not possible to use classifications or components to restrict the visibility of fields, so this makes the patch simpler.
Comment 10 David Lawrence [:dkl] 2012-10-26 07:14:50 PDT
Comment on attachment 675309 [details] [diff] [review]
patch for 4.0.x, v1

r=dkl
Comment 11 David Lawrence [:dkl] 2012-10-26 07:34:29 PDT
Comment on attachment 675326 [details] [diff] [review]
patch for 3.6.x, v1

Review of attachment 675326 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 12 Frédéric Buclin 2012-11-13 09:12:00 PST
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8466.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8451.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/field-events.js.tmpl
Committed revision 8165.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/bug/field-events.js.tmpl
modified template/en/default/bug/field.html.tmpl
modified template/en/default/bug/create/create.html.tmpl
Committed revision 7731.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/bug/field-events.js.tmpl
modified template/en/default/bug/field.html.tmpl
Committed revision 7305.
Comment 13 Frédéric Buclin 2012-11-14 04:30:21 PST
Security advisory sent. Removing the security flag.

Note You need to log in before you can comment on or make changes to this bug.