Open Bug 911617 Opened 12 years ago Updated 2 years ago

Bugzilla sometimes allows forging of bug groups when filing bugs.

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Product:
bugzilla.mozilla.org
Component:
Extensions
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: khuey, Unassigned)

Details

Attachments

(1 obsolete file)

This is probably a bugzilla bug, but I'll let you folks move it if appropriate. By manually modifying the HTML bugzilla sends down I was able to file Bug 911613 as an 'infrasec' bug in Core::DOM. I was unable to do this with gfx-core-security or netscape-confidential. So my guess is it only allows me to file a bug with groups that I could conceivably file somewhere else? Marking as bugzilla-security because I don't really understand the ramifications.
I can't reproduce this on landfill. With a product and group pairing configured similarly to how Core and infrasec are here, and the group configured in multiple different ways on some other product (just to be sure), I always get a warning saying "You tried to restrict a bug to the 'Customer1' group, but either this group does not exist, or you are not allowed to restrict bugs to this group in the 'WorldControl' product." So this is likely something Mozilla-specific because of the hack for the security groups on the entry form (since this is one of the security groups)
So, this is actually on purpose, but maybe we should add some checks in place to ensure said group is a viable option for the product before allowing it? https://bzr.mozilla.org/bmo/4.2/view/head:/extensions/BMO/lib/Data.pm#L395 Unhiding, as it's not a security bug.
Group: bugzilla-security
OK, I just had one of the infrasec guys check the bug that got mis-set, and the box is indeed there to remove the group from that bug, so this doesn't create a dead bug or anything. You just need someone with access to that group to go remove it.
(In reply to Reed Loden [:reed] from comment #2) > So, this is actually on purpose, but maybe we should add some checks in > place to ensure said group is a viable option for the product before > allowing it? What do you mean by "viable"? Surely the aim of having "file anywhere groups" is that you can file a bug anywhere with one of those groups, and so they are "viable" everywhere? :-) Gerv
(In reply to Gervase Markham [:gerv] from comment #4) > What do you mean by "viable"? Surely the aim of having "file anywhere > groups" is that you can file a bug anywhere with one of those groups, and so > they are "viable" everywhere? :-) As in, ensure the group controls for a product allow such groups to be set on bugs (even if Shown/NA), or else it's possible you may wind up with a case of a group set on a bug that can't be unset. It's happened before. :)
Component: Administration → Extensions: BMO
Component: Extensions: BMO → Extensions
The content of attachment 9381234 [details] has been deleted for the following reason: Spam
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: