Skip to content

bugzilla
bugzilla
Commit fe7a41f3 authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get()

r=dkl a=LpSolit
parent a9aa1020
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 11 deletions
Bugzilla/WebService/Constants.pm
View file @ fe7a41f3
...@@ -158,6 +158,7 @@ use constant WS_ERROR_CODE => { ...@@ -158,6 +158,7 @@ use constant WS_ERROR_CODE => {
group_exists => 801, group_exists => 801,
empty_group_description => 802, empty_group_description => 802,
invalid_regexp => 803, invalid_regexp => 803,
invalid_group_name => 804,
# Classification errors are 900-1000 # Classification errors are 900-1000
auth_classification_not_enabled => 900, auth_classification_not_enabled => 900,
......
Bugzilla/WebService/User.pm
View file @ fe7a41f3
...@@ -310,17 +310,23 @@ sub _filter_users_by_group { ...@@ -310,17 +310,23 @@ sub _filter_users_by_group {
# If no groups are specified, we return all users. # If no groups are specified, we return all users.
return $users if (!$group_ids and !$group_names); return $users if (!$group_ids and !$group_names);
my @groups = map { Bugzilla::Group->check({ id => $_ }) } my $user = Bugzilla->user;
@{ $group_ids || [] }; my (@groups, %groups);
my @name_groups = map { Bugzilla::Group->check($_) }
@{ $group_names || [] }; if ($group_ids) {
my %unique_groups; @groups = map { Bugzilla::Group->check({ id => $_ }) } @$group_ids;
foreach my $group (@groups, @name_groups) { $groups{$_->id} = $_ foreach @groups;
$unique_groups{$group->id} ||= $group; }
if ($group_names) {
foreach my $name (@$group_names) {
my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' });
$user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name });
$groups{$group->id} = $group;
}
} }
@groups = values %groups;
my @in_group = grep { $self->_user_in_any_group($_, [values %unique_groups]) } my @in_group = grep { $self->_user_in_any_group($_, \@groups) } @$users;
@$users;
return \@in_group; return \@in_group;
} }
...@@ -875,10 +881,10 @@ querying your own account, even if you are in the editusers group. ...@@ -875,10 +881,10 @@ querying your own account, even if you are in the editusers group.
=over =over
=item 51 (Bad Login Name or Group Name) =item 51 (Bad Login Name or Group ID)
You passed an invalid login name in the "names" array or a bad You passed an invalid login name in the "names" array or a bad
group name/id in the C<groups>/C<group_ids> arguments. group ID in the C<group_ids> argument.
=item 304 (Authorization Required) =item 304 (Authorization Required)
...@@ -890,6 +896,11 @@ wanted to get information about by user id. ...@@ -890,6 +896,11 @@ wanted to get information about by user id.
Logged-out users cannot use the "ids" or "match" arguments to this Logged-out users cannot use the "ids" or "match" arguments to this
function. function.
=item 804 (Invalid Group Name)
You passed a group name in the C<groups> argument which either does not
exist or you do not belong to it.
=back =back
=item B<History> =item B<History>
...@@ -903,6 +914,9 @@ function. ...@@ -903,6 +914,9 @@ function.
=item C<include_disabled> was added in Bugzilla B<4.0>. Default =item C<include_disabled> was added in Bugzilla B<4.0>. Default
behavior for C<match> was changed to only return enabled accounts. behavior for C<match> was changed to only return enabled accounts.
=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now
illegal to pass a group name you don't belong to.
=item C<groups>, C<saved_searches>, and C<saved_reports> were added =item C<groups>, C<saved_searches>, and C<saved_reports> were added
in Bugzilla B<4.4>. in Bugzilla B<4.4>.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment