summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%bugzilla.org <>2004-10-25 16:19:05 +0200
committerjustdave%bugzilla.org <>2004-10-25 16:19:05 +0200
commit23df77be557e495a78808769378ce1f29ac00b4f (patch)
treeb666f7f287d3276f4c50b5bd547a69e7b6a1eda8
parentb121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07 (diff)
downloadbugzilla-23df77be557e495a78808769378ce1f29ac00b4f.tar.gz
bugzilla-23df77be557e495a78808769378ce1f29ac00b4f.tar.xz
[SECURITY] Bug 252638: It is possible to send a carefully crafted HTTP POST message to process_bug.cgi which will remove keywords from a bug even if you don't have permissions to edit all bug fields (the "editbugs" permission). Such changes are reported in "bug changed" email notifications, so they are easily detected and reversed if someone abuses it.
Patch by Myk Melez <myk@mozilla.org> r=gerv, a=justdave
-rwxr-xr-xprocess_bug.cgi22
1 files changed, 21 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 9e47d8f98..c265ab8b9 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -1034,6 +1034,9 @@ if ($::FORM{'keywords'}) {
}
my $keywordaction = $::FORM{'keywordaction'} || "makeexact";
+if (!grep($keywordaction eq $_, qw(add delete makeexact))) {
+ $keywordaction = "makeexact";
+}
if ($::comma eq ""
&& (! @groupAdd) && (! @groupDel)
@@ -1174,6 +1177,23 @@ foreach my $id (@idlist) {
$i++;
}
+ # When editing multiple bugs, users can specify a list of keywords to delete
+ # from bugs. If the list matches the current set of keywords on those bugs,
+ # CheckCanChangeField above will fail to check permissions because it thinks
+ # the list hasn't changed. To fix that, we have to call CheckCanChangeField
+ # again with old!=new if the keyword action is "delete" and old=new.
+ if ($keywordaction eq "delete"
+ && exists $::FORM{keywords}
+ && length(@keywordlist) > 0
+ && $::FORM{keywords} eq $oldhash{keywords}
+ && !CheckCanChangeField("keywords", $id, "old is not", "equal to new"))
+ {
+ $vars->{'oldvalue'} = $oldhash{keywords};
+ $vars->{'newvalue'} = "no keywords";
+ $vars->{'field'} = "keywords";
+ ThrowUserError("illegal_change", $vars, "abort");
+ }
+
$oldhash{'product'} = get_product_name($oldhash{'product_id'});
if (!CanEditProductId($oldhash{'product_id'})) {
ThrowUserError("product_edit_denied",
@@ -1311,7 +1331,7 @@ foreach my $id (@idlist) {
$bug_changed = 1;
}
- if (@::legal_keywords) {
+ if (@::legal_keywords && exists $::FORM{keywords}) {
# There are three kinds of "keywordsaction": makeexact, add, delete.
# For makeexact, we delete everything, and then add our things.
# For add, we delete things we're adding (to make sure we don't