php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60989 logged in users can't access the security bugs reported by them
Submitted: 2012-02-06 11:24 UTC Modified: 2012-05-08 23:36 UTC
From: tyrael@php.net Assigned: tyrael (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tyrael@php.net
New email:
PHP Version: OS:

 

 [2012-02-06 11:24 UTC] tyrael@php.net
Description:
------------
I just reported a few security issues, and noticed that:
- anybody can access the basic information about the private/security bugs 
(summary, Submitted, Modified, From, Assigned, Status, Package, PHP version, OS, 
CVE-ID).
- logged in users can't access the bug, they are still asked for a password, which 
they don't have, as they didn't had to provide that at the original report.
- I'm not sure that it is a bug, or just a mail delivery issue, but when I tried 
to recover the password through the bug-pwd-finder.php, it said it was successful 
("The password for bug report #60988 has been sent to tyrael@php.net"), but I 
didn't get any mail.


Patches

bugsweb-security.diff (last revision 2012-05-07 20:59 UTC by tyrael@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-05 18:35 UTC] tyrael@php.net
so I would like to propose these changes:
- logged in users should be able to access the private bugs reported by them.
- only the reporter and the $security_developers should be able to see the quick 
summary of the private bugs. (summary, Submitted, Modified, From, Assigned, 
Status, Package, PHP version, OS, CVE-ID would be hidden or asterixed out)
- the view tab should only contain the 'This bug report is marked as private.' 
message for non authorized people (non security dev nor reporter)
- the developer tab for logged but non authorized people should only contain the 
'This bug report is marked as private.' (currently it contains the 'This bug 
report is marked as private.' checkbox, 'Quick Fix' dropdown and the 'Block user 
comment' checkbox )
 [2012-05-05 20:25 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: bugsweb-security.diff
Revision:   1336249511
URL:        https://bugs.php.net/patch-display.php?bug=60989&patch=bugsweb-security.diff&revision=1336249511
 [2012-05-05 20:26 UTC] tyrael@php.net
the attached patch should solve the issues.
I tested it on my local developer environment and it seemed to work just fine, but  
given the recent events, I would like somebody to review it, before I push it.
 [2012-05-05 20:28 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: bugsweb-security.diff
Revision:   1336249720
URL:        https://bugs.php.net/patch-display.php?bug=60989&patch=bugsweb-security.diff&revision=1336249720
 [2012-05-05 21:01 UTC] pajoye@php.net
I'm not sure I understand all points you listed, however: 

Only security members (see the list in the bugs code) should be able to see a 
security report.

anyone else should see nothing but the bug # and the text saying that this bug 
is private, but not the summary, title or any other information, not even the 
reporter name.

This is what I discussed with Felipe earlier this week as well.
 [2012-05-05 21:11 UTC] tyrael@php.net
yeah, I'm fairly sure that I restricted the access correctly.
I expanded the access only for one special case:  if the bug reporter was logged 
in(hence he/she has an svn account), when reported the bug, he/she didn't get a 
password, so he/she won't be able to come back later and access the bug.
I added an if clause to the bugs_has_access() function to check if the bug has 
the reporter_name field set, and the reporter equals to the currently logged in 
user's handle.

so the current access list is the same as you mentioned, but the reporter can be 
either an anonymous user authenticated with the bug pw set when opening the bug, 
or an authenticated user.

I also fixed that there will be no public info shown to unauthorized people.
 [2012-05-05 21:44 UTC] tyrael@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: tyrael
 [2012-05-06 19:03 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: bugsweb-security.diff
Revision:   1336331011
URL:        https://bugs.php.net/patch-display.php?bug=60989&patch=bugsweb-security.diff&revision=1336331011
 [2012-05-06 19:08 UTC] tyrael@php.net
Felipe reviewed the patch, he noticed two small mistakes (one line was commented 
out, instead of removed, and another issue was checking "$user_flags == 
BUGS_DEV_USER" instead of "$user_flags & BUGS_DEV_USER" 
I've updated the patch accordingly.
 [2012-05-07 20:59 UTC] tyrael@php.net
The following patch has been added/updated:

Patch Name: bugsweb-security.diff
Revision:   1336424367
URL:        https://bugs.php.net/patch-display.php?bug=60989&patch=bugsweb-security.diff&revision=1336424367
 [2012-05-08 23:36 UTC] tyrael@php.net
-Status: Assigned +Status: Closed
 [2012-05-08 23:36 UTC] tyrael@php.net
This bug has been fixed in SVN. Since the websites are not directly
updated from the SVN server, the fix might need some time to spread
across the globe to all mirror sites, including PHP.net itself.

Thank you for the report, and for helping us make PHP.net better.

I commited the fixes in small chunks, plus I also discussed with johannes about 
his original fix, and come up with a better one.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC