html bugmail uses the bug_link filter to linkify 'bug NNN' text, both within comments, and when other bugs are referenced (eg blockers, dependencies). the bug_link code always tests if the current user has access to the bug it's marking up, and if not, it sets the title to just the bug's status. however when constructing bugmail, the current user is the user which made the change -- we need to test if to_user has access to the bug.
Affects Bugzilla 4.1.1 and newer. We will need a 4.2.2 and a 4.3.2 release asap. As you can mention private attachments in comments too, both Bugzilla::Template::get_bug_link() and Bugzilla::Template::get_attachment_link() must be fixed. We should pass a new optional argument to the bug_link() and quoteURLs() filters which, if present, override the user object when validating permissions.
I know that Denis is going to upgrade Eclipse Bugzilla to 4.2.1 on Friday, so CC'ing him so that he knows what the problem is with HTML bugmails. The point is: either wait for Bugzilla 4.2.2, or disable HTML bugmails once the upgrade is done from Administration > Default Preferences > Preferred email format > Text Only + Enabled off "Enable off" will prevent users from selecting HTML bugmails. They will be forced to get plain text emails only (as in Bugzilla 4.0 and older).
use CVE-2012-1968 for this bug.
Taking! I'm on it.
Assignee: email-notifications → LpSolit
Status: NEW → ASSIGNED
This patch applies to both trunk and 4.2.1. It also fixes bug 777586 as both bugs are closely related.
Attachment #645982 - Flags: review?(glob)
Comment on attachment 645982 [details] [diff] [review] patch, v1 r=glob on the condition that bug_list_link is fixed on commit the bug_list_link filter must also accept an options parameter and pass it to get_bug_link. while it isn't used in bugzilla's default bugmail template, it's possible for extensions or custom bugmail templates to use this filter.
Attachment #645982 - Flags: review?(glob) → review+
Also fixing bug_list_link(). Carrying forward glob's r+.
Summary: html bugmail exposes information about restricted bugs → [SECURITY] HTML bugmail exposes information about restricted bugs
Committing to: bzr+ssh://email@example.com/bugzilla/trunk/ modified Bugzilla/Hook.pm modified Bugzilla/Template.pm modified template/en/default/email/bugmail.html.tmpl Committed revision 8306. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.2/ modified Bugzilla/Hook.pm modified Bugzilla/Template.pm modified template/en/default/email/bugmail.html.tmpl Committed revision 8108.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Security advisory sent.
You need to log in before you can comment on or make changes to this bug.