summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-11-13 18:36:33 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-11-13 18:36:33 +0100
commit528016e235194489877c73835ad5296f2180440d (patch)
treeb602dd3a13f79aafe1efb5d0ae45d231d1ae07a8
parentbe126b5b3ce49ae4d3c1591cccca40cb369c4dd3 (diff)
downloadbugzilla-528016e235194489877c73835ad5296f2180440d.tar.gz
bugzilla-528016e235194489877c73835ad5296f2180440d.tar.xz
Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get()
r=dkl a=LpSolit
-rw-r--r--Bugzilla/WebService/Constants.pm1
-rw-r--r--Bugzilla/WebService/User.pm26
2 files changed, 21 insertions, 6 deletions
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 59aab9b55..6274c3a78 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -166,6 +166,7 @@ use constant WS_ERROR_CODE => {
group_exists => 801,
empty_group_description => 802,
invalid_regexp => 803,
+ invalid_group_name => 804,
# Errors thrown by the WebService itself. The ones that are negative
# conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index f8704a947..deb7518ec 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -233,12 +233,18 @@ sub _filter_users_by_group {
# If no groups are specified, we return all users.
return $users if (!$group_ids and !$group_names);
+ my $user = Bugzilla->user;
+
my @groups = map { Bugzilla::Group->check({ id => $_ }) }
@{ $group_ids || [] };
- my @name_groups = map { Bugzilla::Group->check($_) }
- @{ $group_names || [] };
- push(@groups, @name_groups);
-
+
+ if ($group_names) {
+ foreach my $name (@$group_names) {
+ my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' });
+ $user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name });
+ push(@groups, $group);
+ }
+ }
my @in_group = grep { $self->_user_in_any_group($_, \@groups) }
@$users;
@@ -586,10 +592,10 @@ C<real_name>, C<email>, and C<can_login> items.
=over
-=item 51 (Bad Login Name or Group Name)
+=item 51 (Bad Login Name or Group ID)
You passed an invalid login name in the "names" array or a bad
-group name/id in the C<groups>/C<group_ids> arguments.
+group ID in the C<group_ids> argument.
=item 304 (Authorization Required)
@@ -601,6 +607,11 @@ wanted to get information about by user id.
Logged-out users cannot use the "ids" or "match" arguments to this
function.
+=item 804 (Invalid Group Name)
+
+You passed a group name in the C<groups> argument which either does not
+exist or you do not belong to it.
+
=back
=item B<History>
@@ -614,6 +625,9 @@ function.
=item C<include_disabled> added in Bugzilla B<4.0>. Default behavior
for C<match> has changed to only returning enabled accounts.
+=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now
+illegal to pass a group name you don't belong to.
+
=back
=back