Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a…

Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a short time when there are certain performance problems Patch By Frederic Buclin <LpSolit@gmail.com> r=joel, a=justdave

Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a…
9b11535c · mkanat%kerio.com · 0d7a4fbf · 9b11535c · 9b11535c · 9b11535c
Commit 9b11535c authored Jul 08, 2005 by mkanat%kerio.com
Showing with 30 additions and 13 deletions

Schema.pm Bugzilla/DB/Schema.pm +1 -1

Search.pm Bugzilla/Search.pm +1 -1

User.pm Bugzilla/User.pm +10 -9

checksetup.pl checksetup.pl +3 -0

post_bug.cgi post_bug.cgi +15 -2

No files found.
--- a/Bugzilla/DB/Schema.pm
+++ b/Bugzilla/DB/Schema.pm
@@ -156,7 +156,7 @@ use constant ABSTRACT_SCHEMA => {
            bug_file_loc        => {TYPE => 'TEXT'},
            bug_severity        => {TYPE => 'varchar(64)', NOTNULL => 1},
            bug_status          => {TYPE => 'varchar(64)', NOTNULL => 1},
-            creation_ts         => {TYPE => 'DATETIME', NOTNULL => 1},
+            creation_ts         => {TYPE => 'DATETIME'},
            delta_ts            => {TYPE => 'DATETIME', NOTNULL => 1},
            short_desc          => {TYPE => 'MEDIUMTEXT', NOTNULL => 1},
            op_sys              => {TYPE => 'varchar(64)', NOTNULL => 1},

--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1357,7 +1357,7 @@ sub init {
    }

    $query .= " WHERE " . join(' AND ', (@wherepart, @andlist)) .
-              " AND ((bug_group_map.group_id IS NULL)";
+              " AND bugs.creation_ts IS NOT NULL AND ((bug_group_map.group_id IS NULL)";

    if ($user->id) {
        my $userid = $user->id;

--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -356,7 +356,7 @@ sub can_see_bug {
    # is cached because this may be called for every row in buglists or
    # every bug in a dependency list.
    unless ($sth) {
-        $sth = $dbh->prepare("SELECT reporter, assigned_to, qa_contact,
+        $sth = $dbh->prepare("SELECT 1, reporter, assigned_to, qa_contact,
                             reporter_accessible, cclist_accessible,
                             COUNT(cc.who), COUNT(bug_group_map.bug_id)
                             FROM bugs
@@ -367,22 +367,23 @@ sub can_see_bug {
                               ON bugs.bug_id = bug_group_map.bug_id
                               AND bug_group_map.group_ID NOT IN(" .
                               join(',',(-1, values(%{$self->groups}))) .
-                               ") WHERE bugs.bug_id = ? " .
+                               ") WHERE bugs.bug_id = ? 
+                               AND creation_ts IS NOT NULL " .
                             $dbh->sql_group_by('bugs.bug_id', 'reporter, ' .
                             'assigned_to, qa_contact, reporter_accessible, ' .
                             'cclist_accessible'));
    }
    $sth->execute($bugid);
-    my ($reporter, $owner, $qacontact, $reporter_access, $cclist_access,
+    my ($ready, $reporter, $owner, $qacontact, $reporter_access, $cclist_access,
        $isoncclist, $missinggroup) = $sth->fetchrow_array();
    $sth->finish;
    $self->{sthCanSeeBug} = $sth;
-    return ( (($reporter == $userid) && $reporter_access)
-           || (Param('useqacontact') && $qacontact && 
-              ($qacontact == $userid))
-           || ($owner == $userid)
-           || ($isoncclist && $cclist_access)
-           || (!$missinggroup) );
+    return ($ready
+            && ((($reporter == $userid) && $reporter_access)
+                || (Param('useqacontact') && $qacontact && ($qacontact == $userid))
+                || ($owner == $userid)
+                || ($isoncclist && $cclist_access)
+                || (!$missinggroup)));
 }

 sub get_selectable_products {

--- a/checksetup.pl
+++ b/checksetup.pl
@@ -3966,6 +3966,9 @@ if (!exists $dbh->bz_column_info('milestones', 'sortkey')->{DEFAULT}) {
                          {TYPE => 'INT2', NOTNULL => 1, DEFAULT => 0});
 }

+# 2005-06-14 - LpSolit@gmail.com - Bug 292544: only set creation_ts
+# when all bug fields have been correctly set.
+$dbh->bz_alter_column('bugs', 'creation_ts', {TYPE => 'DATETIME'});

 # If you had to change the --TABLE-- definition in any way, then add your
 # differential change code *** A B O V E *** this comment.

--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -288,8 +288,9 @@ my $timestamp = FetchOneColumn();
 my $sql_timestamp = SqlQuote($timestamp);

 # Build up SQL string to add bug.
+# creation_ts will only be set when all other fields are defined.
 my $sql = "INSERT INTO bugs " . 
-  "(" . join(",", @used_fields) . ", reporter, creation_ts, delta_ts, " .
+  "(" . join(",", @used_fields) . ", reporter, delta_ts, " .
  "estimated_time, remaining_time, deadline) " .
  "VALUES (";

@@ -303,7 +304,7 @@ $comment = trim($comment);
 # OK except for the fact that it causes e-mail to be suppressed.
 $comment = $comment ? $comment : " ";

-$sql .= "$::userid, $sql_timestamp, $sql_timestamp, ";
+$sql .= "$::userid, $sql_timestamp, ";

 # Time Tracking
 if (UserInGroup(Param("timetrackinggroup")) &&
@@ -377,6 +378,11 @@ while (MoreSQLData()) {
 }

 # Add the bug report to the DB.
+$dbh->bz_lock_tables('bugs WRITE', 'bug_group_map WRITE', 'longdescs WRITE',
+                     'cc WRITE', 'keywords WRITE', 'dependencies WRITE',
+                     'bugs_activity WRITE', 'groups READ', 'user_group_map READ',
+                     'keyworddefs READ', 'fielddefs READ');
+
 SendSQL($sql);

 # Get the bug ID back.
@@ -436,6 +442,13 @@ if (UserInGroup("editbugs")) {
    }
 }

+# All fields related to the newly created bug are set.
+# The bug can now be made accessible.
+$dbh->do("UPDATE bugs SET creation_ts = ? WHERE bug_id = ?",
+          undef, ($timestamp, $id));
+
+$dbh->bz_unlock_tables();
+
 # Email everyone the details of the new bug 
 $vars->{'mailrecipients'} = {'changer' => Bugzilla->user->login};