diff options
| author |   mkanat%kerio.com <> | 2005-07-08 12:36:34 +0000 |
|---|---|---|
| committer | mkanat%kerio.com <> | 2005-07-08 12:36:34 +0000 |
| commit | fe79a33e5b5c52dc6a395e439b056d62c56bfa69 (patch) | |
| tree | da1be60422268b4bd4d922b1e4051728072c13f7 | |
| parent | Bug 293159: [SECURITY] Anyone can change flags and access bug summaries due t... (diff) | |
| download | bugzilla-fe79a33e5b5c52dc6a395e439b056d62c56bfa69.tar.gz bugzilla-fe79a33e5b5c52dc6a395e439b056d62c56bfa69.tar.bz2 bugzilla-fe79a33e5b5c52dc6a395e439b056d62c56bfa69.zip | |
Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a short time when there are certain performance problems
Patch By Frederic Buclin <LpSolit@gmail.com> r=joel, a=justdave
| -rw-r--r-- | Bugzilla/Search.pm | 2 | ||||
| -rwxr-xr-x | checksetup.pl | 6 | ||||
| -rw-r--r-- | globals.pl | 9 | ||||
| -rwxr-xr-x | post_bug.cgi | 17 |
4 files changed, 27 insertions, 7 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 374501d86..d00921c3a 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -1120,7 +1120,7 @@ sub init { } $query .= " WHERE " . join(' AND ', (@wherepart, @andlist)) . - " AND ((bug_group_map.group_id IS NULL)"; + " AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL)"; if ($user) { my $userid = $user->id; diff --git a/checksetup.pl b/checksetup.pl index 7399f5ff7..5a665aef8 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -1691,7 +1691,7 @@ $table{bugs} = bug_file_loc text, bug_severity enum($my_severities) not null, bug_status enum("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED", "RESOLVED", "VERIFIED", "CLOSED") not null, - creation_ts datetime not null, + creation_ts datetime, delta_ts timestamp not null, short_desc mediumtext not null, op_sys enum($my_opsys) not null, @@ -4127,6 +4127,10 @@ if (!GetFieldDef('quips', 'userid')->[2]) { $dbh->do('UPDATE quips SET userid = NULL WHERE userid = 0'); } +# 2005-06-14 - LpSolit@gmail.com - Bug 292544: only set creation_ts +# when all bug fields have been correctly set. +ChangeFieldType('bugs', 'creation_ts', 'datetime'); + # If you had to change the --TABLE-- definition in any way, then add your # differential change code *** A B O V E *** this comment. diff --git a/globals.pl b/globals.pl index 429d93bc0..e01ef23fb 100644 --- a/globals.pl +++ b/globals.pl @@ -698,7 +698,8 @@ sub CanSeeBug { " user_group_map.group_id = bug_group_map.group_id" . " AND user_group_map.isbless = 0" . " AND user_group_map.user_id = $userid" . - " WHERE bugs.bug_id = $id GROUP BY bugs.bug_id"; + " WHERE bugs.bug_id = $id AND creation_ts IS NOT NULL" . + " GROUP BY bugs.bug_id"; PushGlobalSQLState(); SendSQL($query); my ($found_id, $reporter, $assigned_to, $qa_contact, @@ -706,8 +707,9 @@ sub CanSeeBug { $found_cc, $found_groups, $found_members) = FetchSQLData(); PopGlobalSQLState(); - return ( - ($found_groups == 0) + return ($found_id + && + (($found_groups == 0) || (($userid > 0) && ( ($assigned_to == $userid) @@ -716,6 +718,7 @@ sub CanSeeBug { || ($found_cc && $cc_access) || ($found_groups == $found_members) )) + ) ); } diff --git a/post_bug.cgi b/post_bug.cgi index 66d5cd742..696f70210 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -320,8 +320,9 @@ if (UserInGroup("editbugs") && defined($::FORM{'dependson'})) { } # Build up SQL string to add bug. +# creation_ts will only be set when all other fields are defined. my $sql = "INSERT INTO bugs " . - "(" . join(",", @used_fields) . ", reporter, creation_ts, " . + "(" . join(",", @used_fields) . ", reporter, " . "estimated_time, remaining_time) " . "VALUES ("; @@ -335,7 +336,7 @@ $comment = trim($comment); # OK except for the fact that it causes e-mail to be suppressed. $comment = $comment ? $comment : " "; -$sql .= "$::userid, now(), "; +$sql .= "$::userid, "; # Time Tracking if (UserInGroup(Param("timetrackinggroup")) && @@ -405,6 +406,11 @@ while (MoreSQLData()) { } # Add the bug report to the DB. +SendSQL("LOCK TABLES bugs WRITE, bug_group_map WRITE, longdescs WRITE, + cc WRITE, keywords WRITE, dependencies WRITE, + bugs_activity WRITE, groups READ, user_group_map READ, + keyworddefs READ, fielddefs READ"); + SendSQL($sql); SendSQL("select now()"); @@ -471,6 +477,13 @@ if (UserInGroup("editbugs")) { } } +# All fields related to the newly created bug are set. +# The bug can now be made accessible. +SendSQL("UPDATE bugs SET creation_ts = " . SqlQuote($timestamp) . + " WHERE bug_id = $id"); + +SendSQL("UNLOCK TABLES"); + # Gather everyone interested in the details of the new bug (forced recipients) my $mailrecipients = { 'cc' => \@cc, 'owner' => DBID_to_name($::FORM{'assigned_to'}), |