Closed Bug 346564 Opened 18 years ago Closed 18 years ago

[SECURITY] timetracking deadline leaks in XML

Categories

(Bugzilla :: Bug Import/Export & Moving, defect)

Product:
Bugzilla
Component:
Bug Import/Export & Moving
Version:
2.19.2
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: timeless, Assigned: bugzilla-mozilla)

References

(
URL
)

Details

(Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3])

Attachments

(2 files)

Patch v1
(deleted), patch
LpSolit
: review+
Details | Diff | Splinter Review
Backport for 2.20 and 2.22
(deleted), patch
LpSolit
: review+
Details | Diff | Splinter Review
The reason is that Bug.pm shows these fields by default: if (Param('timetrackinggroup')) { push @fields, qw(estimated_time remaining_time actual_time deadline); } But show_bug.cgi incorrectly excludes them when the user is not in the timetracking group: unless (UserInGroup(Param("timetrackinggroup"))) { @fieldlist = grep($_ !~ /_time$/, @fieldlist); } The first 3 fields are excluded, but deadline doesn't match the regexp.
Group: webtools-security
Component: User Interface → Bug Import/Export & Moving
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
Version: 2.23 → 2.18.5
The fix is not too hard and would prevent confidential data from being displayed. Requesting blocking.
Flags: blocking2.22.1?
Flags: blocking2.20.3?
Flags: blocking2.18.6?
Assignee: ui → bugzilla-mozilla
Deadline is new to Bugzilla 2.20, see bug 103636. Fixing this for 2.18 would be hard ;) Cancelling blocking2.18.6.
Status: NEW → ASSIGNED
Flags: blocking2.18.6?
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
Version: 2.18.5 → 2.20.1
As bkor is working on it, there is a good chance to have it ready for our next set of releases.
Blocks: 346525
Flags: blocking2.22.1?
Flags: blocking2.22.1+
Flags: blocking2.20.3?
Flags: blocking2.20.3+
Attached patch Patch v1 (deleted) — Splinter Review
Found no other unfiled code that leaked the timetracking fields (in any of the Bugzilla versions). Did wonder a bit about percentage_complete and show_bug.cgi, but that field seems to be buglist.cgi only.
Attachment #237541 - Flags: review?(LpSolit)
Comment on attachment 237541 [details] [diff] [review] Patch v1 r=LpSolit
Attachment #237541 - Flags: review?(LpSolit) → review+
Attached patch Backport for 2.20 and 2.22 (deleted) — Splinter Review
Attachment #237613 - Flags: review?(LpSolit)
Comment on attachment 237613 [details] [diff] [review] Backport for 2.20 and 2.22 r=LpSolit
Attachment #237613 - Flags: review?(LpSolit) → review+
Flags: approval?
Flags: approval2.22?
Flags: approval2.20?
Whiteboard: [doesn't affect 2.18.x][ready for 2.20.3][ready for 2.22.1][ready for 2.23.3]
Deadline was first introduced in 2.19.2, so that's when this bug dates back to.
Version: 2.20.1 → 2.19.2
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
tip: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.49; previous revision: 1.48 done 2.22: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.38.2.1; previous revision: 1.38 done 2.20: Checking in show_bug.cgi; /cvsroot/mozilla/webtools/bugzilla/show_bug.cgi,v <-- show_bug.cgi new revision: 1.32.4.2; previous revision: 1.32.4.1 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Summary: timetracking deadline leaks in xml → [SECURITY] timetracking deadline leaks in XML
Security Advisory has been sent, so this bug is no longer private.
Group: webtools-security
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: