Last Comment Bug 840824 - It is possible to create a new bug with a non active target milestone, version or component
: It is possible to create a new bug with a non active target milestone, versio...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Creating/Changing Bugs (show other bugs)
: 4.2
: All All
: -- minor (vote)
: Bugzilla 4.2
Assigned To: mail
: default-qa
Mentors:
Depends on: 752946
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-12 17:34 PST by mail
Modified: 2013-02-16 13:58 PST (History)
1 user (show)
LpSolit: approval+
LpSolit: approval4.4+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.5+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
v1 patch (630 bytes, patch)
2013-02-12 17:39 PST, mail
LpSolit: review-
Details | Diff | Review
v2 patch (1.67 KB, patch)
2013-02-13 17:28 PST, mail
LpSolit: review+
Details | Diff | Review

Description mail 2013-02-12 17:34:51 PST
With the changes in bug 752946 it is possible to create a new bug (either via RPC or URL hijacking) with a milestone that is inactive. This shouldn't be allowed.
Comment 1 mail 2013-02-12 17:39:36 PST
Created attachment 713221 [details] [diff] [review]
v1 patch

I've request the blocking on this bug on the same basis as the bug that created the problem.
Comment 2 Frédéric Buclin 2013-02-13 07:48:35 PST
Comment on attachment 713221 [details] [diff] [review]
v1 patch

I think the problem you describe affects versions and components too. IMO, the right fix is to write:

my $old_foo = blessed($invocant) ? $invocant->foo : '';

This way, the first part of

  if ($object->name ne $old_foo && !$object->is_active)

will always be false for new bugs (a component, version or milestone cannot be '') and we will always call !$object->is_active.

So please fix this issue for versions and components too.
Comment 3 Frédéric Buclin 2013-02-13 07:53:21 PST
This is less problematic for new bugs, because the UI doesn't list inactive values. So unless you hack the URL directly, honest users are not affected by this issue. But I'm fine to take it for 4.2.5 anyway as the fix in bug 752946 is incomplete.
Comment 4 mail 2013-02-13 17:28:48 PST
Created attachment 713735 [details] [diff] [review]
v2 patch
Comment 5 Frédéric Buclin 2013-02-16 13:51:31 PST
Comment on attachment 713735 [details] [diff] [review]
v2 patch

No need to write : '' on its own line. On checkin, it should be moved on the same line as foo ? bar. r=LpSolit
Comment 6 Frédéric Buclin 2013-02-16 13:58:33 PST
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Bug.pm
Committed revision 8577.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/Bug.pm
Committed revision 8518.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/Bug.pm
Committed revision 8187.

Note You need to log in before you can comment on or make changes to this bug.