"ReportedBy" "is equals to" "%group.admin%" returns all bugs where the reporter is in the admin group, despite I'm not in the admin group and despite I cannot access editusers.cgi (as I cannot bless anybody). AFAIK, such data should be restricted to power users who can access editusers.cgi. Moreover, query.cgi throws an error if I type a group name which doesn't exist, so I can use this trick to guess existing groups. IMO, query.cgi should only let you enter group names you belong to, nothing more. Talking about this with dveditz and justdave on IRC, they both think it's not a problem on b.m.o, because they don't matter if people know who is in which group, but it may matter for some other installations, which is why I restricting this bug to the security group. The %group.foo% group substitution feature has been implemented in Bugzilla 2.20 in bug 244239, so this problem exists for a long time.

Yes, I agree this is a security issue, for some installations, though not extremely serious.

Bugzilla 2.20 is no longer supported. Retargetting to 2.22.

Bugzilla 2.x is no longer supported. Retargetting to 3.0.

Bugzilla 3.0 is EOL. We will retarget this bug when it's fixed.

Restrict the usage of %group.foo% to groups you belong to. Group visibility is already handled by ValidateGroupName().

Once we branch, Search.pm is going to change pretty rapidly. I already know that the area around this patch will change with a patch that I already have pending checkin. But the patch should be un-bitrottable with little change.

Same patch as for 3.4 - 4.0, but fixed a tiny bitrot.

It should be safe to re-write the patch for trunk now. The code moved into a different location than it is in 4.0, so the 4.0 patch won't apply.

(In reply to comment #8) > It should be safe to re-write the patch for trunk now. Bug 579797 must be fixed first, as Search.pm now leaks too much information.

(In reply to comment #9) > Bug 579797 must be fixed first, as Search.pm now leaks too much information. No, it does not, see my comment there. We decided that group names are no longer confidential in the guessing sense. That is, if you guess, we'll tell you explicitly whether or not they don't exist. If you want to have a technical discussion about this, we should do it on the developers list.

Comment on attachment 458607 [details] [diff] [review] patch for 4.2, v1 Looks good.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/Search.pm Committed revision 7428. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified Bugzilla/Search.pm Committed revision 7369. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified Bugzilla/Search.pm Committed revision 7157. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/ modified Bugzilla/Search.pm Committed revision 6771. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.2/ modified Bugzilla/Search.pm Committed revision 6392.

Security advisory sent, unlocking bug.