Bug 287109: [SECURITY] Names of private products/components can be exposed on certain...

Patch By Frederic Buclin <LpSolit@gmail.com> r=myk, a=justdave

diff --git a/enter_bug.cgi b/enter_bug.cgi
index 72617972248c9ef623b96012fe8c50e048c042a4..64c6124fadc481afaac5aadb4f4a81465eb331cb 100755 (executable)
--- a/enter_bug.cgi
+++ b/enter_bug.cgi
@@ -224,38 +224,11 @@ confirm_login() if (!(Param("usebuggroupsentry")));
 
 # If the usebuggroupsentry parameter is set, we need to check and make sure
 # that the user has permission to enter a bug against this product.
-if(Param("usebuggroupsentry") 
-   && GroupExists($product) 
-   && !UserInGroup($product)) 
-{
-    DisplayError("Sorry; you do not have the permissions necessary to " .
-                 "enter a bug against this product.\n");         
-    exit;
-}
+CanEnterProductOrWarn($product);
 
 GetVersionTable();
 
-if (lsearch(\@::enterable_products, $product) == -1) {
-    DisplayError("'" . html_quote($product) . "' is not a valid product.");
-    exit;
-}
-    
-if (0 == @{$::components{$product}}) {
-    my $error = "Sorry; there needs to be at least one component for this " .
-                "product in order to create a new bug. ";
-    if (UserInGroup('editcomponents')) {
-        $error .= "<a href=\"editcomponents.cgi\">" . 
-                  "Create a new component</a>\n";
-    }
-    else {              
-        $error .= "Please contact " . Param("maintainer") . ", detailing " .
-                  "the product in which you tried to create a new bug.\n";
-    }
-        
-    DisplayError($error);   
-    exit;
-} 
-elsif (1 == @{$::components{$product}}) {
+if (1 == @{$::components{$product}}) {
     # Only one component; just pick it.
     $::FORM{'component'} = $::components{$product}->[0];
 }

diff --git a/globals.pl b/globals.pl
index 1d6eb98d39ecd898e87eb6aff94c5c4c5c5a5662..262e3afc95287d354a69645b6bde6bf7bd403654 100644 (file)
--- a/globals.pl
+++ b/globals.pl
@@ -841,6 +841,50 @@ sub CanSeeBug {
     return $ret;
 }
 
+sub CanEnterProductOrWarn {
+    # Determines whether or not a user can enter bugs into the product.
+    my ($productname) = @_;
+
+    if (!GroupExists($productname)
+        || (Param("usebuggroupsentry")
+            && !UserInGroup($productname)))
+    {
+        DisplayError("Sorry, either this product does not exist, or you
+                      don't have the required permissions to enter a bug
+                      against that product.", "Permission Denied");
+        exit;
+    }
+
+    SendSQL("SELECT CASE WHEN disallownew = 0 THEN 1 ELSE 0 END
+             FROM products INNER JOIN components
+             ON components.program = products.product
+             WHERE products.product = " . SqlQuote($productname) . " LIMIT 1");
+
+    my $status = FetchOneColumn();
+
+    # Return 1 if the user can enter bugs into that product;
+    # return 0 if the product is closed for new bug entry;
+    # return undef if the product has no component.
+
+    if (!defined($status)) {
+        my $error = "Sorry; there needs to be at least one component for this " .
+                    "product in order to create a new bug. ";
+        if (UserInGroup('editcomponents')) {
+            $error .= "<a href=\"editcomponents.cgi\">Create a new component</a>\n";
+        }
+        else {              
+            $error .= "Please contact " . Param("maintainer") . ", detailing " .
+                      "the product in which you tried to create a new bug.\n";
+        }
+        DisplayError($error);   
+        exit;
+    } elsif (!$status) {
+        DisplayError("Sorry, entering bugs into this product has been disabled.");
+        exit;
+    }
+    return $status;
+}
+
 sub ValidatePassword {
     # Determines whether or not a password is valid (i.e. meets Bugzilla's
     # requirements for length and content).  If the password is valid, the

diff --git a/post_bug.cgi b/post_bug.cgi
index 101d949b3aa06e7d9ccb723e4563b991bc9b65bb..10c3fb5e857c2b3e7f74877b9e8d9aaabe943030 100755 (executable)
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -92,13 +92,7 @@ if (defined $::FORM{'maketemplate'}) {
 umask 0;
 
 # Some sanity checking
-if(Param("usebuggroupsentry") && GroupExists($product)) {
-    if(!UserInGroup($product)) {
-        DisplayError("Sorry; you do not have the permissions necessary to enter
-                      a bug against this product.", "Permission Denied");
-        exit;
-    }
-}
+CanEnterProductOrWarn($product);
 
 if (!$::FORM{'component'}) {
     DisplayError("You must choose a component that corresponds to this bug.

diff --git a/process_bug.cgi b/process_bug.cgi
index e43db35f3ee81f83172488813f2c0e75387bef2d..07b93129e09c126dbcb1b597f4086f213e831222 100755 (executable)
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -39,7 +39,8 @@ use RelationSet;
 
 # Shut up misguided -w warnings about "used only once":
 
-use vars qw(%versions
+use vars qw(@legal_product
+          %versions
           %components
           %COOKIE
           %legal_keywords
@@ -163,9 +164,19 @@ if ((($::FORM{'id'} && $::FORM{'product'} ne $::oldproduct)
      || (!$::FORM{'id'} && $::FORM{'product'} ne $::dontchange))
     && CheckonComment( "reassignbycomponent" ))
 {
-    CheckFormField(\%::FORM, 'product', \@::legal_product);
     my $prod = $::FORM{'product'};
 
+    # If at least one bug does not belong to the product we are
+    # moving to, we have to check whether or not the user is
+    # allowed to enter bugs into that product.
+    # Note that this check must be done early to avoid the leakage
+    # of component, version and target milestone names.
+    SendSQL("SELECT 1 FROM bugs
+             WHERE product != " . SqlQuote($prod) .
+           " AND bug_id IN (" . join(',', @idlist) . ") LIMIT 1");
+
+    if (FetchOneColumn()) { CanEnterProductOrWarn($prod) }
+
     # note that when this script is called from buglist.cgi (rather
     # than show_bug.cgi), it's possible that the product will be changed
     # but that the version and/or component will be set to