Closed
Bug 777586
(CVE-2012-1969)
Opened 12 years ago
Closed 12 years ago
[SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(1 file)
726 bytes,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
When a user who can see a private attachment (i.e. a member of the insidergroup) mentions a private attachment in a public comment, then all users who can see the public comment can also see the description of the private attachment despite they are not allowed to view this attachment (note that this attachment is not listed in the attachments table for that reason, unless you are a member of the insidergroup). The reason is that get_attachment_link() only checks if the bug itself is public or not to decide if the attachment description can be seen by the user or not, despite you can have private attachments on public bugs.
This problem exists since attachment IDs are linkified in comments, i.e since Bugzilla 2.17.5, see bug 153583.
I will probably fix this bug in the same patch as bug 777398.
Flags: blocking4.4+
Flags: blocking4.2.2+
Flags: blocking4.0.7+
Flags: blocking3.6.10+
Assignee | ||
Comment 1•12 years ago
|
||
For 4.2 and trunk, the patch from bug 777398 already fixes this problem. So this patch is for older branches only.
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #645985 -
Flags: review?(glob)
Comment on attachment 645985 [details] [diff] [review]
patch for 3.6 and 4.0, v1
r=glob by inspection
Attachment #645985 -
Flags: review?(glob) → review+
Assignee | ||
Updated•12 years ago
|
Flags: approval4.0?
Flags: approval3.6?
Assignee | ||
Updated•12 years ago
|
Flags: approval4.0?
Flags: approval4.0+
Flags: approval3.6?
Flags: approval3.6+
Assignee | ||
Updated•12 years ago
|
Summary: The description of private attachments is still visible to unauthorized users when mentioned in a comment → [SECURITY] The description of private attachments is still visible to unauthorized users when mentioned in a comment
Assignee | ||
Comment 4•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/Template.pm
Committed revision 7714.
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Template.pm
Committed revision 7291.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•