From f3b17d9f5351d9eca8d2c7f0feb272432fc398c9 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 12 Oct 2013 00:13:42 +0200 Subject: Bug 912640: Release notes for Bugzilla 4.2.7 r=dkl a=LpSolit --- template/en/default/pages/release-notes.html.tmpl | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 3d5b36b45..ebc08afb1 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -53,6 +53,36 @@

Updates in this 4.2.x Release

+

4.2.7

+ +

This release fixes several security issues. See the + Security Advisory + for details.

+ +

In addition, the following [% terms.bugs %] have been fixed in this release:

+ + +

4.2.6

The following important fixes/changes have been made in this release:

-- cgit v1.2.3-24-g4f1b From 3771585c730f31f36a5efa3bd6b053ddf66bb2ba Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Wed, 16 Oct 2013 12:05:10 -0400 Subject: Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and allowing easier brute force r=LpSolit,a=glob --- Bugzilla/Token.pm | 22 +++++++++++++++++----- template/en/default/global/code-error.html.tmpl | 3 +++ token.cgi | 7 ++++--- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 2bb68e721..9c2242f63 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -275,13 +275,18 @@ sub Cancel { # Get information about the token being canceled. trick_taint($token); - my ($issuedate, $tokentype, $eventdata, $userid) = - $dbh->selectrow_array('SELECT ' . $dbh->sql_date_format('issuedate') . ', + my ($db_token, $issuedate, $tokentype, $eventdata, $userid) = + $dbh->selectrow_array('SELECT token, ' . $dbh->sql_date_format('issuedate') . ', tokentype, eventdata, userid FROM tokens WHERE token = ?', undef, $token); + # Some DBs such as MySQL are case-insensitive by default so we do + # a quick comparison to make sure the tokens are indeed the same. + (defined $db_token && $db_token eq $token) + || ThrowCodeError("cancel_token_does_not_exist"); + # If we are canceling the creation of a new user account, then there # is no entry in the 'profiles' table. my $user = new Bugzilla::User($userid); @@ -346,10 +351,17 @@ sub GetTokenData { $token = clean_text($token); trick_taint($token); - return $dbh->selectrow_array( - "SELECT userid, " . $dbh->sql_date_format('issuedate') . ", eventdata - FROM tokens + my @token_data = $dbh->selectrow_array( + "SELECT token, userid, " . $dbh->sql_date_format('issuedate') . ", eventdata + FROM tokens WHERE token = ?", undef, $token); + + # Some DBs such as MySQL are case-insensitive by default so we do + # a quick comparison to make sure the tokens are indeed the same. + my $db_token = shift @token_data; + return undef if (!defined $db_token || $db_token ne $token); + + return @token_data; } # Deletes specified token diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 24e46fb14..877fe8d66 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -438,6 +438,9 @@ [% ELSIF error == "token_generation_error" %] Something is seriously wrong with the token generation system. + [% ELSIF error == "cancel_token_does_not_exist" %] + The token to be cancelled does not exist. + [% ELSIF error == "template_error" %] [% template_error_msg FILTER html %] diff --git a/token.cgi b/token.cgi index 20870159a..ae9800d72 100755 --- a/token.cgi +++ b/token.cgi @@ -67,9 +67,10 @@ if ($token) { trick_taint($token); # Make sure the token exists in the database. - my ($tokentype) = $dbh->selectrow_array('SELECT tokentype FROM tokens - WHERE token = ?', undef, $token); - $tokentype || ThrowUserError("token_does_not_exist"); + my ($db_token, $tokentype) = $dbh->selectrow_array('SELECT token, tokentype FROM tokens + WHERE token = ?', undef, $token); + (defined $db_token && $db_token eq $token && $tokentype) + || ThrowUserError("token_does_not_exist"); # Make sure the token is the correct type for the action being taken. if ( grep($action eq $_ , qw(cfmpw cxlpw chgpw)) && $tokentype ne 'password' ) { -- cgit v1.2.3-24-g4f1b From 60343369b4f0cdcc758e8776839014ffcf8fcfb5 Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Wed, 16 Oct 2013 12:14:11 -0400 Subject: Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force r=LpSolit,a=sgreen --- Bugzilla/Auth/Login/Cookie.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 91fb820fb..de9188c64 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -60,8 +60,8 @@ sub get_login_info { trick_taint($login_cookie); detaint_natural($user_id); - my $is_valid = - $dbh->selectrow_array('SELECT 1 + my $db_cookie = + $dbh->selectrow_array('SELECT cookie FROM logincookies WHERE cookie = ? AND userid = ? @@ -69,7 +69,7 @@ sub get_login_info { undef, ($login_cookie, $user_id, $ip_addr)); # If the cookie is valid, return a valid username. - if ($is_valid) { + if (defined $db_cookie && $login_cookie eq $db_cookie) { # If we logged in successfully, then update the lastused # time on the login cookie $dbh->do("UPDATE logincookies SET lastused = NOW() -- cgit v1.2.3-24-g4f1b From 6f5ed9c78eda6cbe6cf743ddacc82a6f9fccdf15 Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Wed, 16 Oct 2013 12:27:00 -0400 Subject: Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and allowing easier brute force r=LpSolit,a=sgreen --- token.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/token.cgi b/token.cgi index ae9800d72..901094be4 100755 --- a/token.cgi +++ b/token.cgi @@ -69,7 +69,7 @@ if ($token) { # Make sure the token exists in the database. my ($db_token, $tokentype) = $dbh->selectrow_array('SELECT token, tokentype FROM tokens WHERE token = ?', undef, $token); - (defined $db_token && $db_token eq $token && $tokentype) + (defined $db_token && $db_token eq $token) || ThrowUserError("token_does_not_exist"); # Make sure the token is the correct type for the action being taken. -- cgit v1.2.3-24-g4f1b From 2a3d79afa020dc49b0e2016b4015cdc94b74eec4 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 16 Oct 2013 19:08:20 +0200 Subject: Bug 913904: (CVE-2013-1734) [SECURITY] CSRF when updating attachments r=dkl a=sgreen --- attachment.cgi | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/attachment.cgi b/attachment.cgi index 64f78dc36..0078a4c16 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -661,20 +661,23 @@ sub update { $attachment->set_filename(scalar $cgi->param('filename')); # Now make sure the attachment has not been edited since we loaded the page. - if (defined $cgi->param('delta_ts') - && $cgi->param('delta_ts') ne $attachment->modification_time) - { - ($vars->{'operations'}) = - Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); + my $delta_ts = $cgi->param('delta_ts'); + my $modification_time = $attachment->modification_time; - # The token contains the old modification_time. We need a new one. - $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + if ($delta_ts && $delta_ts ne $modification_time) { + datetime_from($delta_ts) + or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts }); + ($vars->{'operations'}) = + Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $delta_ts); # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. if (scalar(@{$vars->{'operations'}})) { - $cgi->param('delta_ts', $attachment->modification_time); + $cgi->param('delta_ts', $modification_time); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $modification_time])); + $vars->{'attachment'} = $attachment; print $cgi->header(); -- cgit v1.2.3-24-g4f1b From 53eeca9fc9a12ae23a0aa66f1b38021e93d4f03c Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 16 Oct 2013 19:19:12 +0200 Subject: Bug 924802: (CVE-2013-1742) [SECURITY] (XSS) "id" and "sortkey" are not sanitized when editing flag types if categoryAction-foo is set r=dkl a=glob --- template/en/default/admin/flag-type/edit.html.tmpl | 6 +++--- template/en/default/filterexceptions.pl | 2 -- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl index 2cb985a47..de0476e19 100644 --- a/template/en/default/admin/flag-type/edit.html.tmpl +++ b/template/en/default/admin/flag-type/edit.html.tmpl @@ -52,7 +52,7 @@
- + @@ -149,8 +149,8 @@ this type will be sorted when displayed to users in a list; ignore if you don't care what order the types appear in or if you want them to appear in alphabetical order.
- + diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index 691241c9c..897ab148e 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -410,8 +410,6 @@ ], 'admin/flag-type/edit.html.tmpl' => [ - 'type.id', - 'type.sortkey || 1', 'selname', ], -- cgit v1.2.3-24-g4f1b From 3b9eb2e03904a12cf38268b2527742e5ede7f305 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 16 Oct 2013 19:26:25 +0200 Subject: Bug 924932: (CVE-2013-1743) [SECURITY] Field values are (still) not escaped correctly in tabular reports r=dkl a=glob --- template/en/default/reports/report-table.html.tmpl | 38 ++++++++++++++-------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index b41753550..cef47c2d9 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -47,32 +47,42 @@ [% END %]