diff options
| author | mkanat%kerio.com <> | 2005-07-08 14:35:20 +0200 |
|---|---|---|
| committer | mkanat%kerio.com <> | 2005-07-08 14:35:20 +0200 |
| commit | 9b11535c66ebe5103afea0eb87e92c939a975d34 (patch) | |
| tree | 7578009e82dda6eb3ab2ba8d5d843be30d7464e5 | |
| parent | 0d7a4fbf959a1c522350786e83df580476bf5642 (diff) | |
| download | bugzilla-9b11535c66ebe5103afea0eb87e92c939a975d34.tar.gz bugzilla-9b11535c66ebe5103afea0eb87e92c939a975d34.tar.xz | |
Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a short time when there are certain performance problems
Patch By Frederic Buclin <LpSolit@gmail.com> r=joel, a=justdave
| -rw-r--r-- | Bugzilla/DB/Schema.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Search.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 19 | ||||
| -rwxr-xr-x | checksetup.pl | 3 | ||||
| -rwxr-xr-x | post_bug.cgi | 17 |
5 files changed, 30 insertions, 13 deletions
diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm index c7d4a5583..52d1b3212 100644 --- a/Bugzilla/DB/Schema.pm +++ b/Bugzilla/DB/Schema.pm @@ -156,7 +156,7 @@ use constant ABSTRACT_SCHEMA => { bug_file_loc => {TYPE => 'TEXT'}, bug_severity => {TYPE => 'varchar(64)', NOTNULL => 1}, bug_status => {TYPE => 'varchar(64)', NOTNULL => 1}, - creation_ts => {TYPE => 'DATETIME', NOTNULL => 1}, + creation_ts => {TYPE => 'DATETIME'}, delta_ts => {TYPE => 'DATETIME', NOTNULL => 1}, short_desc => {TYPE => 'MEDIUMTEXT', NOTNULL => 1}, op_sys => {TYPE => 'varchar(64)', NOTNULL => 1}, diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index e69c3232f..ec93e96a8 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -1357,7 +1357,7 @@ sub init { } $query .= " WHERE " . join(' AND ', (@wherepart, @andlist)) . - " AND ((bug_group_map.group_id IS NULL)"; + " AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL)"; if ($user->id) { my $userid = $user->id; diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index c9817a4d9..ff88b9f3b 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -356,7 +356,7 @@ sub can_see_bug { # is cached because this may be called for every row in buglists or # every bug in a dependency list. unless ($sth) { - $sth = $dbh->prepare("SELECT reporter, assigned_to, qa_contact, + $sth = $dbh->prepare("SELECT 1, reporter, assigned_to, qa_contact, reporter_accessible, cclist_accessible, COUNT(cc.who), COUNT(bug_group_map.bug_id) FROM bugs @@ -367,22 +367,23 @@ sub can_see_bug { ON bugs.bug_id = bug_group_map.bug_id AND bug_group_map.group_ID NOT IN(" . join(',',(-1, values(%{$self->groups}))) . - ") WHERE bugs.bug_id = ? " . + ") WHERE bugs.bug_id = ? + AND creation_ts IS NOT NULL " . $dbh->sql_group_by('bugs.bug_id', 'reporter, ' . 'assigned_to, qa_contact, reporter_accessible, ' . 'cclist_accessible')); } $sth->execute($bugid); - my ($reporter, $owner, $qacontact, $reporter_access, $cclist_access, + my ($ready, $reporter, $owner, $qacontact, $reporter_access, $cclist_access, $isoncclist, $missinggroup) = $sth->fetchrow_array(); $sth->finish; $self->{sthCanSeeBug} = $sth; - return ( (($reporter == $userid) && $reporter_access) - || (Param('useqacontact') && $qacontact && - ($qacontact == $userid)) - || ($owner == $userid) - || ($isoncclist && $cclist_access) - || (!$missinggroup) ); + return ($ready + && ((($reporter == $userid) && $reporter_access) + || (Param('useqacontact') && $qacontact && ($qacontact == $userid)) + || ($owner == $userid) + || ($isoncclist && $cclist_access) + || (!$missinggroup))); } sub get_selectable_products { diff --git a/checksetup.pl b/checksetup.pl index 176ad463c..b5158ccb3 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -3966,6 +3966,9 @@ if (!exists $dbh->bz_column_info('milestones', 'sortkey')->{DEFAULT}) { {TYPE => 'INT2', NOTNULL => 1, DEFAULT => 0}); } +# 2005-06-14 - LpSolit@gmail.com - Bug 292544: only set creation_ts +# when all bug fields have been correctly set. +$dbh->bz_alter_column('bugs', 'creation_ts', {TYPE => 'DATETIME'}); # If you had to change the --TABLE-- definition in any way, then add your # differential change code *** A B O V E *** this comment. diff --git a/post_bug.cgi b/post_bug.cgi index 70030dc1a..576c4c2c3 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -288,8 +288,9 @@ my $timestamp = FetchOneColumn(); my $sql_timestamp = SqlQuote($timestamp); # Build up SQL string to add bug. +# creation_ts will only be set when all other fields are defined. my $sql = "INSERT INTO bugs " . - "(" . join(",", @used_fields) . ", reporter, creation_ts, delta_ts, " . + "(" . join(",", @used_fields) . ", reporter, delta_ts, " . "estimated_time, remaining_time, deadline) " . "VALUES ("; @@ -303,7 +304,7 @@ $comment = trim($comment); # OK except for the fact that it causes e-mail to be suppressed. $comment = $comment ? $comment : " "; -$sql .= "$::userid, $sql_timestamp, $sql_timestamp, "; +$sql .= "$::userid, $sql_timestamp, "; # Time Tracking if (UserInGroup(Param("timetrackinggroup")) && @@ -377,6 +378,11 @@ while (MoreSQLData()) { } # Add the bug report to the DB. +$dbh->bz_lock_tables('bugs WRITE', 'bug_group_map WRITE', 'longdescs WRITE', + 'cc WRITE', 'keywords WRITE', 'dependencies WRITE', + 'bugs_activity WRITE', 'groups READ', 'user_group_map READ', + 'keyworddefs READ', 'fielddefs READ'); + SendSQL($sql); # Get the bug ID back. @@ -436,6 +442,13 @@ if (UserInGroup("editbugs")) { } } +# All fields related to the newly created bug are set. +# The bug can now be made accessible. +$dbh->do("UPDATE bugs SET creation_ts = ? WHERE bug_id = ?", + undef, ($timestamp, $id)); + +$dbh->bz_unlock_tables(); + # Email everyone the details of the new bug $vars->{'mailrecipients'} = {'changer' => Bugzilla->user->login}; |