Closed Bug 777398 (CVE-2012-1968) Opened 12 years ago Closed 12 years ago

[SECURITY] HTML bugmail exposes information about restricted bugs

Categories

(Bugzilla :: Email Notifications, defect)

Product:
Bugzilla
Component:
Email Notifications
Version:
4.1.1
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.2

People

(Reporter: glob, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

patch, v2
8.33 KB, patch
LpSolit
: review+
Details | Diff | Splinter Review
html bugmail uses the bug_link filter to linkify 'bug NNN' text, both within comments, and when other bugs are referenced (eg blockers, dependencies). the bug_link code always tests if the current user has access to the bug it's marking up, and if not, it sets the title to just the bug's status. however when constructing bugmail, the current user is the user which made the change -- we need to test if to_user has access to the bug.
Affects Bugzilla 4.1.1 and newer. We will need a 4.2.2 and a 4.3.2 release asap. As you can mention private attachments in comments too, both Bugzilla::Template::get_bug_link() and Bugzilla::Template::get_attachment_link() must be fixed. We should pass a new optional argument to the bug_link() and quoteURLs() filters which, if present, override the user object when validating permissions.
Depends on: 326826, 65477
Flags: blocking4.4+
Flags: blocking4.2.2+
Target Milestone: --- → Bugzilla 4.2
Version: 4.2 → 4.1.1
I know that Denis is going to upgrade Eclipse Bugzilla to 4.2.1 on Friday, so CC'ing him so that he knows what the problem is with HTML bugmails. The point is: either wait for Bugzilla 4.2.2, or disable HTML bugmails once the upgrade is done from Administration > Default Preferences > Preferred email format > Text Only + Enabled off "Enable off" will prevent users from selecting HTML bugmails. They will be forced to get plain text emails only (as in Bugzilla 4.0 and older).
use CVE-2012-1968 for this bug.
Alias: CVE-2012-1968
Blocks: 777558
Taking! I'm on it.
Assignee: email-notifications → LpSolit
Status: NEW → ASSIGNED
Attached patch patch, v1 (obsolete) — Splinter Review
This patch applies to both trunk and 4.2.1. It also fixes bug 777586 as both bugs are closely related.
Attachment #645982 - Flags: review?(glob)
Comment on attachment 645982 [details] [diff] [review] patch, v1 r=glob on the condition that bug_list_link is fixed on commit the bug_list_link filter must also accept an options parameter and pass it to get_bug_link. while it isn't used in bugzilla's default bugmail template, it's possible for extensions or custom bugmail templates to use this filter.
Attachment #645982 - Flags: review?(glob) → review+
Flags: approval?
Flags: approval4.2?
Attached patch patch, v2Splinter Review
Also fixing bug_list_link(). Carrying forward glob's r+.
Attachment #645982 - Attachment is obsolete: true
Attachment #646081 - Flags: review+
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval+
Summary: html bugmail exposes information about restricted bugs → [SECURITY] HTML bugmail exposes information about restricted bugs
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/Hook.pm modified Bugzilla/Template.pm modified template/en/default/email/bugmail.html.tmpl Committed revision 8306. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified Bugzilla/Hook.pm modified Bugzilla/Template.pm modified template/en/default/email/bugmail.html.tmpl Committed revision 8108.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Security advisory sent.
Group: bugzilla-security
Flags: needinfo?
Flags: needinfo?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: