My initial goal was to fix bug 38862 only. But it appeared that we couldn't reliably fix it without fixing bug 26257 at the same time. But then, some people started mentioning a whole list of CSRF issues we have. So we have no other choice than fixing as many of them at once as possible, which are listed in the dependency list of this bug. If we finally decide to release 3.3.1 without this set of security bugs, then we just need to change the bug summary to mention 3.3.2.

Okay, here we go! This one's fairly involved, and it also contains instructions for administrators to set attachmentbase.

Comment on attachment 355500 [details] v1 >* It was possible for users to upload a malicious attachment to > that would run in the context of Bugzilla's domain s/to// ? >Class: Cross-Site Request Forgery >Versions: 2.17 and higher Why 2.17? It seems to me that you are much more verbose than usual, especially about process_bug.cgi. Maybe the last paragraph about the fact that this bug was public before is not needed?

I don't think you need the "The" in front of "Mozilla Corporation" in the credits.

(In reply to comment #2) > Why 2.17? Since that's when flags were introduced? It's actually some 2.17.x version, really. I could just put "All versions" since keywords have always been around, haven't they? > It seems to me that you are much more verbose than usual, especially about > process_bug.cgi. Maybe the last paragraph about the fact that this bug was > public before is not needed? I'm definitely much more verbose than usual. The problem is that people write news articles based on security advisories, and so I want the full explanation and justification of why we're not fixing it on earlier branches in the security advisory itself.

(In reply to comment #4) > Since that's when flags were introduced? It's actually some 2.17.x version, > really. I could just put "All versions" since keywords have always been around, > haven't they? Yes, keywords have always been here, before flags.

I'm sure the attachment thing is pending some rewording now, due to bug 472206 and whatever we end up doing there.

I hope other sec bugs will be reviewed on time for 3.3.2. :)

Comment on attachment 355500 [details] v1 > Bugzilla 3.2 limited the effectiveness of this attack > by making the login cookies "HTTPOnly", so in some > browsers, malicious attachments couldn't access cookies. > However, browsers with no HTTPOnly support (or broken > HTTPOnly support) are still vulnerable, and versions of > Bugzilla before 3.2 were also still vulnerable. HTTPOnly may prevent the malicious attachment from stealing the session cookie for later use (although the IP-address use restrictions generally prevent that) but they don't at all prevent the attachment from acting on the user's behalf. The browser will send the HTTPOnly cookies whether the evil attachment ever learns them or not. > It is only included in this security advisory to note that > a fix is now available, and so that administrators can > judge whether or not a major Bugzilla upgrade is > justified, to get the fix. drop the last comma, or drop the whole phrase or something. Or maybe reorder "and so that administrators can judge [decide? evaluate?] whether the fix justifies a major Bugzilla upgrade."

Comment on attachment 355500 [details] v1 There are now 5 security bugs ready, not 3, so the sec adv must be updated accordingly.

We now have all 6 security bugs ready for checkin \o/. You can update the sec adv without the fear that another sec bug joins the team. :)

Thanks so much for all the hard work you guys have put into this release. It's awesome to have so many security bugs fixed.

Okay, here's the new version.

Re-worded some things at the top slightly.

Comment on attachment 359608 [details] v3 >Bugzilla is a Web-based bug-tracking system, used by a large number of >software projects. Drop the comma after "system", please. >* Bug updating was vulnerable to a cross-site request forgery. > Note that this issue was only fixed in the 3.2 branch even though > all versions of Bugzilla are affected (see below for an explanation). Might say "3.2 branch and newer". >* Keywords, unused flag types, and saved searches could be deleted, via > cross-site request forgery. Also, a user's preferences could be > changed via cross-site request forgery. Drop the comma after "deleted", please. >Description: Bugzilla users can upload HTML or Javascript attachments It's JavaScript. > users from viewing attachments in their browsers, by > default. There is a new parameter named Drop the comma after "browsers", please. >Description: Bug updating was vulnerable to a cross-site request > forgery, because it did not validate that calls to Drop the comma after "forgery", please. > (never set on any bug or attachment) flags, or when a user > updated their preferences, Bugzilla did not properly > validate that the request came from Bugzilla. So, it was > possible to trick a user into click on a link that would > perform these actions without their consent. s@their@his/her@g >Teemu Mannermaa Remove extra trailing whitespace. Looks good overall!

Addressed some of reed's comments (chose not to address others).

Comment on attachment 359626 [details] v4 >The fix for the security bugs mentioned in this advisory are included in >the 3.2.1, 3.0.7, and 2.22.7 releases (though certain issues are only >fixed for certain versions, as noted above). Why don't you mention 3.3.2? Otherwise looks good. r=LpSolit

(In reply to comment #16) > Why don't you mention 3.3.2? Otherwise looks good. r=LpSolit Oh, just forgot to fix that. The original was written before there was even a dev release on the 3.3 branch.

Okay, attaching a version with that fixed. Carrying forward LpSolit's r+.

justdave pointed out that I missed updating one of the statements about what versions the process_bug CSRF was fixed in.

Security Advisory sent.