aboutsummaryrefslogtreecommitdiffstats
path: root/process_bug.cgi
diff options
context:
space:
mode:
authorjustdave%bugzilla.org <>2004-10-25 14:19:05 +0000
committerjustdave%bugzilla.org <>2004-10-25 14:19:05 +0000
commit23df77be557e495a78808769378ce1f29ac00b4f (patch)
treeb666f7f287d3276f4c50b5bd547a69e7b6a1eda8 /process_bug.cgi
parentb121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07 (diff)
downloadbugs-23df77be557e495a78808769378ce1f29ac00b4f.tar
bugs-23df77be557e495a78808769378ce1f29ac00b4f.tar.gz
bugs-23df77be557e495a78808769378ce1f29ac00b4f.tar.bz2
bugs-23df77be557e495a78808769378ce1f29ac00b4f.tar.xz
bugs-23df77be557e495a78808769378ce1f29ac00b4f.zip
[SECURITY] Bug 252638: It is possible to send a carefully crafted HTTP POST message to process_bug.cgi which will remove keywords from a bug even if you don't have permissions to edit all bug fields (the "editbugs" permission). Such changes are reported in "bug changed" email notifications, so they are easily detected and reversed if someone abuses it.
Patch by Myk Melez <myk@mozilla.org> r=gerv, a=justdave
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-xprocess_bug.cgi22
1 files changed, 21 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 9e47d8f98..c265ab8b9 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -1034,6 +1034,9 @@ if ($::FORM{'keywords'}) {
}
my $keywordaction = $::FORM{'keywordaction'} || "makeexact";
+if (!grep($keywordaction eq $_, qw(add delete makeexact))) {
+ $keywordaction = "makeexact";
+}
if ($::comma eq ""
&& (! @groupAdd) && (! @groupDel)
@@ -1174,6 +1177,23 @@ foreach my $id (@idlist) {
$i++;
}
+ # When editing multiple bugs, users can specify a list of keywords to delete
+ # from bugs. If the list matches the current set of keywords on those bugs,
+ # CheckCanChangeField above will fail to check permissions because it thinks
+ # the list hasn't changed. To fix that, we have to call CheckCanChangeField
+ # again with old!=new if the keyword action is "delete" and old=new.
+ if ($keywordaction eq "delete"
+ && exists $::FORM{keywords}
+ && length(@keywordlist) > 0
+ && $::FORM{keywords} eq $oldhash{keywords}
+ && !CheckCanChangeField("keywords", $id, "old is not", "equal to new"))
+ {
+ $vars->{'oldvalue'} = $oldhash{keywords};
+ $vars->{'newvalue'} = "no keywords";
+ $vars->{'field'} = "keywords";
+ ThrowUserError("illegal_change", $vars, "abort");
+ }
+
$oldhash{'product'} = get_product_name($oldhash{'product_id'});
if (!CanEditProductId($oldhash{'product_id'})) {
ThrowUserError("product_edit_denied",
@@ -1311,7 +1331,7 @@ foreach my $id (@idlist) {
$bug_changed = 1;
}
- if (@::legal_keywords) {
+ if (@::legal_keywords && exists $::FORM{keywords}) {
# There are three kinds of "keywordsaction": makeexact, add, delete.
# For makeexact, we delete everything, and then add our things.
# For add, we delete things we're adding (to make sure we don't