Closed Bug 157704 Opened 22 years ago Closed 22 years ago

if you delete a product when usebuggroups is ON, administrator's right may change

Categories

(Bugzilla :: User Accounts, defect)

2.14.1
x86
Windows 2000
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: ravishk, Assigned: justdave)

Details

(Whiteboard: [fixed in 2.16.3][doesn't exist on trunk])

Attachments

(1 file)

Hi There I was going through Bugzilla code. I found one bug in "editproducts.cgi". fileName: editproducts.cgi # LineNumber : 651 "AND (groupset != 9223372036854710271)"); but as per my knowledge and as defined in globals.pl Admin bit munber is 9223372036854775807 So I think it can change admin's right while deleting a product when usebuggroups is ON. Correct me if I am wrong. Thanks & Regards R K Singh
This looks like a real error. The only differrence between these values is that the value in editproducts.cgi is missing the 2^16 bit. I'll be happy to make a patch if it is OK to write/submit a patch where the benefit is seen only by inspection and it is tested just to make sure it doesn't break anything.
Use $::admingroupset from globals.pol (or whatever the var is called)
Is this even still an issue? I think the groups rewrite fixed this (since there's a separate admin group which is inherited now instead of the admin being a member of every group)
joel: ping (see comment #3)
This would only impact the old bugzillas. The new group system already takes this into account during conversion. So, unless someone wants to fix this on the 2.16 branch, there is no change to make.
although it's admittedly a minor thing, it does meet the qualifications of a security problem, since the admin could accidently change his own privs. And the timing is perfect since we're going to be doing a 2.16.3 release shortly anyway.
Whiteboard: [want for 2.16.3]
Target Milestone: --- → Bugzilla 2.16
Attached patch patch against 2.16.2 (deleted) — Splinter Review
This patch is against version 2.16.2. Do note that as mentioned in earlier comments, this problem is not present in 2.17.
Attachment #114120 - Flags: review?(bugreport)
Whiteboard: [want for 2.16.3] → [want for 2.16.3][doesn't exist on trunk]
Attachment #114120 - Flags: review?(bugreport) → review+
From the standpoint of being worth an update, it should be included. There is no reason I can see for an advisory, though. This lets and admin lose privs rather than creating a hole.
mine
Assignee: myk → justdave
Flags: approval+
Checked in on BUGZILLA-2_16-BRANCH Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.24.2.3; previous revision: 1.24.2.2 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [want for 2.16.3][doesn't exist on trunk] → [fixed in 2.16.3][doesn't exist on trunk]
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: