(CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and...

author ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)

committer ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)
author ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)
committer ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)
diff --git a/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm b/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm

index 0a238f20938e5231254e71585f717565aa0565a9..bfc4f224bc6480011e5b43e53d1ab605e158c90f 100644 (file)
--- a/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm
+++ b/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm
@@ -86,6 +86,14 @@ sub get_param_list {
     checker => \&check_group
    },
    
+  {
+   name => 'debug_group',
+   type => 's',
+   choices => \&_get_all_group_names,
+   default => 'admin',
+   checker => \&check_group
+  },
+  
    {
     name => 'usevisibilitygroups',
     type => 'b',
diff --git a/Websites/bugs.webkit.org/ChangeLog b/Websites/bugs.webkit.org/ChangeLog

index 466176f0db8046d38dfc10840510696682b7b626..59bfe6376163e719c8e93093d42ac5ea01f4acb7 100644 (file)
--- a/Websites/bugs.webkit.org/ChangeLog
+++ b/Websites/bugs.webkit.org/ChangeLog
@@ -1,3 +1,17 @@
+2013-03-08  David Kilzer  <ddkilzer@apple.com>
+
+        (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
+        <https://bugzilla.mozilla.org/show_bug.cgi?id=824399>
+        <exp2://Ticket/14465628>
+
+        Applied "v5 patch, 3.6" to bugs.webkit.org.
+
+        * Bugzilla/Config/GroupSecurity.pm:
+        (get_param_list):
+        * buglist.cgi:
+        * report.cgi:
+        * template/en/default/admin/params/groupsecurity.html.tmpl:
+
  2013-03-08  David Kilzer  <ddkilzer@apple.com>
  
          (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
diff --git a/Websites/bugs.webkit.org/buglist.cgi b/Websites/bugs.webkit.org/buglist.cgi

index f6ea3c07dda9176697b57f9ea7f232f435371859..e8b40fc71e67ca4bcabe8bbcd990a4e655bc795c 100755 (executable)
--- a/Websites/bugs.webkit.org/buglist.cgi
+++ b/Websites/bugs.webkit.org/buglist.cgi
@@ -1006,7 +1006,10 @@ elsif ($fulltext) {
  # Query Execution
  ################################################################################
  
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
      $vars->{'debug'} = 1;
      $vars->{'query'} = $query;
      $vars->{'debugdata'} = $search->getDebugData();
diff --git a/Websites/bugs.webkit.org/report.cgi b/Websites/bugs.webkit.org/report.cgi

index df25318abd3a08e0acf6d7bc38b9a86df036bf01..f4360efcdd102ef7fb1d7c0ce7065305887f2dc3 100755 (executable)
--- a/Websites/bugs.webkit.org/report.cgi
+++ b/Websites/bugs.webkit.org/report.cgi
@@ -247,7 +247,13 @@ $vars->{'width'} = $width if $width;
  $vars->{'height'} = $height if $height;
  
  $vars->{'query'} = $query;
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}
  
  my $formatparam = $cgi->param('format');
  
diff --git a/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl b/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl

index 440e1cf2f626dc765ade5387258b599ba13cd5b0..2330c4444c35bf43ef149fc4b69e1aaca3e16c1d 100644 (file)
--- a/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -48,6 +48,9 @@
    querysharegroup => "The name of the group of users who can share their " _
                       "saved searches with others.",
  
+  debug_group => "The name of the group of users who can view the actual " _
+                 "SQL query generated when viewing $terms.bug lists and reports.",
+
    usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                           "specific groups?",
author	ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)
committer	ddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Sat, 9 Mar 2013 05:54:10 +0000 (05:54 +0000)
Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm		patch \| blob \| history
Websites/bugs.webkit.org/ChangeLog		patch \| blob \| history
Websites/bugs.webkit.org/buglist.cgi		patch \| blob \| history
Websites/bugs.webkit.org/report.cgi		patch \| blob \| history
Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl		patch \| blob \| history