Closed Bug 163135 Opened 22 years ago Closed 21 years ago

reports.cgi with usebuggroups on

Categories

(Bugzilla :: Reporting/Charting, defect, P4)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.16
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: rbro, Assigned: gerv)

References

Details

I have usebuggroups and usebuggroupsentry both turned on, so that products are isolated to specific groups of people, and people can't see bugs that they aren't permitted to. If I go to my bugzilla homepage as a non-logged in user, and click on the reports link and view a standard report, I can see a listing of e-mail addresses and bug numbers for products that I shouldn't have access to. If I click any bug number, I get the message that I'm not authorized to view the bug, but should a non-logged in user (or a user who doesn't have permissions for a product) be able to see a listing of the 'engineers' and bug numbers relating to that product who otherwise he should know nothing about, nor have access to view?
While not ideal, I don't think this is a serious information leak. Those reports are going away eventually (yes, I know I always say that, but I actually have an implementation of their replacement) and the code is horrible, so I don't like working with it. ;-) Gerv
I haven't yet taken a look at the code in reports.cgi, but one thing I noticed is this: If I log in as a user with access to just one product (out of the many that exist), on the initial reports.cgi page, the Product dropdown lists an 'All' option and the one product that I have access to. If I choose that one product and click Continue, I get stats just for that one product, but if I choose 'All', I get stats for all products (including ones not listed in that dropdown). Since the code to retrieve stats for just one product already exists, to fix the problem for the 'All' case, wouldn't the fix be to do the SQL query to get the list of products that the user has access to, and add them all into the various SQL statements for the stats, just as the one product is added in now to the SQL for the singular product case?
I'm not saying it's unfixable - just that I don't plan to fix it, because I have a large pile of other bugs to get through first :-) Gerv
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
This is all going away over in bug 16009. Gerv
Depends on: 16009
Priority: P2 → P4
OS: Windows 2000 → All
Hardware: PC → All
This bug is now invalid, because the reports in question are no longer part of Bugzilla. Gerv
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
bulk removing target on WONTFIX/INVALID/WORKSFORME/DUPLICATE so they'll show up as untriaged if they get reopened.
Target Milestone: Bugzilla 2.18 → ---
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.