From 528016e235194489877c73835ad5296f2180440d Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:36:33 +0100 Subject: Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get() r=dkl a=LpSolit --- Bugzilla/WebService/Constants.pm | 1 + Bugzilla/WebService/User.pm | 26 ++++++++++++++++++++------ 2 files changed, 21 insertions(+), 6 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 59aab9b55..6274c3a78 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -166,6 +166,7 @@ use constant WS_ERROR_CODE => { group_exists => 801, empty_group_description => 802, invalid_regexp => 803, + invalid_group_name => 804, # Errors thrown by the WebService itself. The ones that are negative # conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index f8704a947..deb7518ec 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -233,12 +233,18 @@ sub _filter_users_by_group { # If no groups are specified, we return all users. return $users if (!$group_ids and !$group_names); + my $user = Bugzilla->user; + my @groups = map { Bugzilla::Group->check({ id => $_ }) } @{ $group_ids || [] }; - my @name_groups = map { Bugzilla::Group->check($_) } - @{ $group_names || [] }; - push(@groups, @name_groups); - + + if ($group_names) { + foreach my $name (@$group_names) { + my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' }); + $user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name }); + push(@groups, $group); + } + } my @in_group = grep { $self->_user_in_any_group($_, \@groups) } @$users; @@ -586,10 +592,10 @@ C, C, and C items. =over -=item 51 (Bad Login Name or Group Name) +=item 51 (Bad Login Name or Group ID) You passed an invalid login name in the "names" array or a bad -group name/id in the C/C arguments. +group ID in the C argument. =item 304 (Authorization Required) @@ -601,6 +607,11 @@ wanted to get information about by user id. Logged-out users cannot use the "ids" or "match" arguments to this function. +=item 804 (Invalid Group Name) + +You passed a group name in the C argument which either does not +exist or you do not belong to it. + =back =item B @@ -614,6 +625,9 @@ function. =item C added in Bugzilla B<4.0>. Default behavior for C has changed to only returning enabled accounts. +=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now +illegal to pass a group name you don't belong to. + =back =back -- cgit v1.2.3-24-g4f1b