diff options
| author | justdave%bugzilla.org <> | 2004-10-25 16:19:05 +0200 |
|---|---|---|
| committer | justdave%bugzilla.org <> | 2004-10-25 16:19:05 +0200 |
| commit | 23df77be557e495a78808769378ce1f29ac00b4f (patch) | |
| tree | b666f7f287d3276f4c50b5bd547a69e7b6a1eda8 /process_bug.cgi | |
| parent | b121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07 (diff) | |
| download | bugzilla-23df77be557e495a78808769378ce1f29ac00b4f.tar.gz bugzilla-23df77be557e495a78808769378ce1f29ac00b4f.tar.xz | |
[SECURITY] Bug 252638: It is possible to send a carefully crafted HTTP POST message to process_bug.cgi which will remove keywords from a bug even if you don't have permissions to edit all bug fields (the "editbugs" permission). Such changes are reported in "bug changed" email notifications, so they are easily detected and reversed if someone abuses it.
Patch by Myk Melez <myk@mozilla.org>
r=gerv, a=justdave
Diffstat (limited to 'process_bug.cgi')
| -rwxr-xr-x | process_bug.cgi | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index 9e47d8f98..c265ab8b9 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -1034,6 +1034,9 @@ if ($::FORM{'keywords'}) { } my $keywordaction = $::FORM{'keywordaction'} || "makeexact"; +if (!grep($keywordaction eq $_, qw(add delete makeexact))) { + $keywordaction = "makeexact"; +} if ($::comma eq "" && (! @groupAdd) && (! @groupDel) @@ -1174,6 +1177,23 @@ foreach my $id (@idlist) { $i++; } + # When editing multiple bugs, users can specify a list of keywords to delete + # from bugs. If the list matches the current set of keywords on those bugs, + # CheckCanChangeField above will fail to check permissions because it thinks + # the list hasn't changed. To fix that, we have to call CheckCanChangeField + # again with old!=new if the keyword action is "delete" and old=new. + if ($keywordaction eq "delete" + && exists $::FORM{keywords} + && length(@keywordlist) > 0 + && $::FORM{keywords} eq $oldhash{keywords} + && !CheckCanChangeField("keywords", $id, "old is not", "equal to new")) + { + $vars->{'oldvalue'} = $oldhash{keywords}; + $vars->{'newvalue'} = "no keywords"; + $vars->{'field'} = "keywords"; + ThrowUserError("illegal_change", $vars, "abort"); + } + $oldhash{'product'} = get_product_name($oldhash{'product_id'}); if (!CanEditProductId($oldhash{'product_id'})) { ThrowUserError("product_edit_denied", @@ -1311,7 +1331,7 @@ foreach my $id (@idlist) { $bug_changed = 1; } - if (@::legal_keywords) { + if (@::legal_keywords && exists $::FORM{keywords}) { # There are three kinds of "keywordsaction": makeexact, add, delete. # For makeexact, we delete everything, and then add our things. # For add, we delete things we're adding (to make sure we don't |