From: jake%acutex.net <> Date: Mon, 27 Aug 2001 01:51:44 +0000 (+0000) Subject: Bug 96085 - bypassing group security checks using duplicate bugs X-Git-Tag: bugzilla-2.14~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c05c60cf06842168c9cb6a958accb28b728f7436;p=thirdparty%2Fbugzilla.git Bug 96085 - bypassing group security checks using duplicate bugs Patch by Christopher Aillon r= jake@acutex.net --- diff --git a/CGI.pl b/CGI.pl index ddf5fa14cc..2cf6ffeca8 100644 --- a/CGI.pl +++ b/CGI.pl @@ -21,6 +21,7 @@ # Dan Mosedale # Joe Robins # Dave Miller +# Christopher Aillon # Contains some global routines used throughout the CGI scripts of Bugzilla. @@ -315,9 +316,11 @@ sub ValidateBugID { AND cc.bug_id = bugs.bug_id "); while (my ($ccwho) = FetchSQLData()) { - push @cclist , $ccwho; + # more efficient to just check the var here instead of + # creating a potentially huge array to grep against + return if ($userid == $ccwho); } - return if grep($userid == $_ , @cclist); + } # The user did not pass any of the authorization tests, which means they diff --git a/process_bug.cgi b/process_bug.cgi index 53ec8d9dad..107bae5859 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -21,6 +21,7 @@ # Contributor(s): Terry Weissman # Dan Mosedale # Dave Miller +# Christopher Aillon use diagnostics; use strict; @@ -73,6 +74,16 @@ foreach my $id (@idlist) { ValidateBugID($id); } +# If we are duping bugs, let's also make sure that we can change +# the original. This takes care of issue A on bug 96085. +if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") { + ValidateBugID($::FORM{'dup_id'}); + + # Also, let's see if the reporter has authorization to see the bug + # to which we are duping. If not we need to prompt. + DuplicateUserConfirm(); +} + # If the user has a bug list and is processing one bug, then after # we process the bug we are going to show them the next bug on their # list. Thus we have to make sure this bug ID is also valid, @@ -334,10 +345,95 @@ empowered user, may make that change to the $f field. exit(); } +# Confirm that the reporter of the current bug can access the bug we are duping to. +sub DuplicateUserConfirm { + my $dupe = trim($::FORM{'id'}); + my $original = trim($::FORM{'dup_id'}); + + SendSQL("SELECT reporter FROM bugs WHERE bug_id = " . SqlQuote($dupe)); + my $reporter = FetchOneColumn(); + SendSQL("SELECT profiles.groupset FROM profiles WHERE profiles.userid =".SqlQuote($reporter)); + my $reportergroupset = FetchOneColumn(); + + SendSQL("SELECT ((groupset & $reportergroupset) = groupset) , reporter , assigned_to , qa_contact , + reporter_accessible , assignee_accessible , qacontact_accessible , cclist_accessible + FROM bugs + WHERE bug_id = $original"); + + my ($isauthorized, $originalreporter, $assignee, $qacontact, $reporter_accessible, + $assignee_accessible, $qacontact_accessible, $cclist_accessible) = FetchSQLData(); + + # If reporter is authorized via the database, or is the original reporter, assignee, + # or QA Contact, we'll automatically confirm they can be added to the cc list + if ($isauthorized + || ($reporter_accessible && $originalreporter == $reporter) + || ($assignee_accessible && $assignee == $reporter) + || ($qacontact_accessible && $qacontact == $reporter)) { + + $::FORM{'confirm_add_duplicate'} = "1"; + return; + } + + # Try to authorize the user one more time by seeing if they are on + # the cc: list. If so, finish validation and return. + if ($cclist_accessible ) { + my @cclist; + SendSQL("SELECT cc.who + FROM bugs , cc + WHERE bugs.bug_id = $original + AND cc.bug_id = bugs.bug_id + "); + while (my ($ccwho) = FetchSQLData()) { + if ($reporter == $ccwho) { + $::FORM{'confirm_add_duplicate'} = "1"; + return; + } + } + } + if (defined $::FORM{'confirm_add_duplicate'}) { + return; + } + # Once in this part of the subroutine, the user has not been auto-validated + # and the duper has not chosen whether or not to add to CC list, so let's + # ask the duper what he/she wants to do. + # First, will the user gain access to this bug immediately by being CC'd? + my $reporter_access = $cclist_accessible ? "will immediately" : "might, in the future,"; + + print "Content-type: text/html\n\n"; + PutHeader("Duplicate Warning"); + print "

+When marking a bug as a duplicate, the reporter of the +duplicate is normally added to the CC list of the original. +The permissions on bug #$original (the original) are currently set +such that the reporter would not normally be able to see it. +

Adding the reporter to the CC list of bug #$original +$reporter_access allow him/her access to view this bug. +Do you wish to do this?

+

+"; + print "
\n\n"; + + foreach my $i (keys %::FORM) { + # Make sure we don't include the username/password fields in the + # HTML. If cookies are off, they'll have to reauthenticate after + # hitting "submit changes anyway". + # see http://bugzilla.mozilla.org/show_bug.cgi?id=15980 + if ($i !~ /^(Bugzilla|LDAP)_(login|password)$/) { + my $value = value_quote($::FORM{$i}); + print qq{\n}; + } + } + print qq{

Yes, add the reporter to CC list on bug $original

\n}; + print qq{

No, do not add the reporter to CC list on bug $original

\n}; + print qq{\n

Throw away my changes, and go revisit bug $dupe\n}; + print qq{\n

\n}; + PutFooter(); + exit; +} # end DuplicateUserConfirm() if (defined $::FORM{'id'} && Param('strictvaluechecks')) { # since this means that we were called from show_bug.cgi, now is a good @@ -1261,8 +1357,9 @@ The changes made were: my $isreporter = FetchOneColumn(); SendSQL("SELECT who FROM cc WHERE bug_id = " . SqlQuote($duplicate) . " and who = $reporter"); my $isoncc = FetchOneColumn(); - unless ($isreporter || $isoncc) { - # The reporter is oblivious to the existance of the new bug... add 'em to the cc (and record activity) + unless ($isreporter || $isoncc || ! $::FORM{'confirm_add_duplicate'}) { + # The reporter is oblivious to the existance of the new bug and is permitted access + # ... add 'em to the cc (and record activity) my $ccid = GetFieldID("cc"); my $whochange = DBNameToIdAndCheck($::FORM{'who'}); SendSQL("INSERT INTO bugs_activity (bug_id,who,bug_when,fieldid,removed,added) VALUES " .