Closed
Bug 179491
Opened 22 years ago
Closed 22 years ago
Search involving attachments do not enforce attchment privacy
Categories
(Bugzilla :: Query/Bug List, defect, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: bugreport, Assigned: bugreport)
References
Details
Attachments
(1 file, 1 obsolete file)
|
(deleted),
patch
|
bbaetz
:
review+
|
Details | Diff | Splinter Review |
Good catch by bbaetz on this one...
It is possible for a user without access to private attachments to qualify a bug
query on the contents of an attachment to which that user is supposed to have no
access. (The user still cannot access the attachment itself)
The fix for this is small and low-risk.
|
Assignee | |
Comment 1•22 years ago
|
||
|
|
Assignee | |
Updated•22 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Summary: Searchs of attchamnets containing a string do not enforce attchment privacy → Searchs of attchaments containing a string do not enforce attchment privacy
Target Milestone: --- → Bugzilla 2.18
|
|
Assignee | |
Updated•22 years ago
|
Attachment #105832 -
Flags: review?(myk)
|
|
Assignee | |
Comment 2•22 years ago
|
||
changed < 1 to = 0
Attachment #105832 -
Attachment is obsolete: true
|
||
Updated•22 years ago
|
Attachment #105916 -
Flags: review+
|
|
Assignee | |
Updated•22 years ago
|
Attachment #105832 -
Flags: review?(myk)
|
|
Assignee | |
Comment 3•22 years ago
|
||
Checking in Bugzilla/Search.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Search.pm,v <-- Search.pm
new revision: 1.34; previous revision: 1.33
done
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Summary: Searchs of attchaments containing a string do not enforce attchment privacy → Searchs of attachments containing a string do not enforce attchment privacy
|
|
||
Comment 4•22 years ago
|
||
Clearing security bit on fixed bug. This bug affected people who obtained a
development release between:
2002/08/19 21:17:20 to 2002/11/12 01:58:02 US/Pacific
(+/- about 15 minutes for the cvs mirror)
It was possible for a user to search on attachment titles/status, and get
results even if they couldn't see the attachment. Only existance or absense of
an attribute could be tested; the exact contents and desription of the summary
remained hidden. This only affected instalations who used the 'insidergroup'
feature.
Group: webtools-security
Summary: Searchs of attachments containing a string do not enforce attchment privacy → Search involving attachments do not enforce attchment privacy
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•