Bug 489756 - non-privileged users able to remove others from the CC list
Summary: non-privileged users able to remove others from the CC list
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Bugzilla
Classification: Community
Component: Creating/Changing Bugs
Version: 3.6
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Simon Green
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-11 17:58 UTC by Vincent Danen
Modified: 2014-10-12 22:46 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-07-01 20:48:33 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 28849 0 None None None Never

Description Vincent Danen 2009-03-11 17:58:54 UTC
It was reported to me that a "regular" user could remove other users from the CC list of a bug without error.  He did, by way of example, remove a kernel developer from a security-related kernel bug (then added him back once he realized what he did, of course).  A "regular" user shouldn't be able to do this (they should only be able to remove their own email address from the CC list).

There is an upstream bug about this:

https://bugzilla.mozilla.org/show_bug.cgi?id=458142

Upstream doesn't think this is a bug.  Their rationale is that if a user is able to add any address to the CC, they should be able to remove any address as well.

An overly complicated "fix" would be to map who adds what CC to the list and allow a user to remove only CC's they have added.  An easier fix would be to allow users to add a CC, but not allow them to remove anyone from the CC list other than their own address (and leave it to others to remove themselves from the CC list).

I don't know if we use a finer-grained ACL than upstream does, so I'm not sure if anyone and everyone is in the editbugs group; if not, we could restrict this kind of change to users in the editbugs group.

Regardless, I think the ability for anyone to arbitrarily remove others from the CC list is wrong; there should be some special privileges required to do this or, at the very least, a restriction on a user to only remove their own address from the CC list.

Comment 1 Noura El hawary 2009-03-19 08:40:03 UTC
Hi Vincent,

I don't really think this is a big issue really, and I agree with upstream that people who are able to add others to the cc list should be able to remove them as well. only people who have access to the bugs can do that as bugs can either be public or it can be associated with private groups so only people in those groups can do changes to the bugs including cclist changes. i am not sure about that security related bug you are talking about, as regular users don't have access to security bugs, please give us an example of a bug number that was accessed and changed by an unauthorized user. also another thing is that if any user gets removed from the cclist then they get notified by email that they have been removed. 

Noura

Comment 2 Vincent Danen 2009-03-19 13:57:06 UTC
No, it wasn't a private security bug, it was a public one.  Obviously group restrictions would prevent someone from changing the cclist of a private bug; that's not what I'm talking about.

Also, I didn't mean to imply that *this* is a security bug.  I just think it's wrong behaviour that if I add myself to the cclist of a public bug, any average joe can remove me.  Sure, I'd get an email about it, and can add myself back, but I don't think that should be something that just anyone should be able to do.

Comment 3 Kurt Seifried 2009-03-23 08:27:40 UTC
Well it's not just deleting people off the list but I can add joe random as well.

Comment 4 Alasdair Kergon 2009-04-24 23:47:24 UTC
Assuming this behaves as described (and I haven't tested it) how often do people have a genuine reason to remove other people from bugs?  How often do people accidentally/deliberately remove other people when they shouldn't?

Could the cure cause more hassle than the problem?

Comment 5 Alasdair Kergon 2009-04-24 23:49:33 UTC
The thing that causes me most trouble in this area is when someone takes a bug assigned to me and reassigns it to someone else without adding me to the cc - I'd like an option to say 'always add me to the cc if someone else takes ownership of a bug away from me'.

Comment 6 David Lawrence 2010-01-15 17:32:51 UTC
Red Hat Bugzilla is now using version 3.4 of the Bugzilla codebase and
therefore this feature will need to be implemented against the new release.
Updating bug version to 3.2.

Comment 7 David Lawrence 2010-08-25 21:41:10 UTC
Red Hat has now upgraded to Bugzilla 3.6 and this bug will now be reassigned to that version. It would be helpful to the Bugzilla Development Team if this bug is verified to still be an issue with the latest version. If it is no longer an issue, then feel free to close, otherwise please comment that it is still a problem and we will try to address the issue as soon as we can.

Thanks
Bugzilla Development Team

Comment 8 Kurt Seifried 2010-08-26 00:19:14 UTC
Still works, I went to Bug 489755 and deleted tscherf from it and then re-added him. You can go to any bug and add/remove anyone from the CC list.

Comment 10 Simon Green 2012-06-19 23:35:20 UTC
This was fixed upstream as part of the Bugzilla 4.2 release.

https://bugzilla.mozilla.org/show_bug.cgi?id=28849

  -- simon

Comment 11 Kurt Seifried 2012-06-20 05:16:24 UTC
kurt 	2012-06-20 01:14:28 EDT 	CC 	tkramer 	kurt

kurt 	2012-06-20 01:14:50 EDT 	CC 		tkramer 

And we're still vulnerable, I was able to do this from my personal account (picked a random open bug, removed/added tkramer back in.

Comment 12 Kurt Seifried 2012-06-20 05:17:30 UTC
For reference it was https://bugzilla.redhat.com/show_activity.cgi?id=799187

Comment 13 Alasdair Kergon 2012-06-20 09:49:06 UTC
This behaves correctly for me:  using a non-privileged account, I only have the option to remove myself, not other people.

Does fedora_contrib which you have on that test account provide additional permissions?

Comment 14 Kurt Seifried 2012-07-01 20:48:33 UTC
Ah, interesting, I have confirmed that this does indeed behave properly, I created another account, it is unable to remove users. So yes, my kurt appears to have some additional privileges (likely due to the Fedora stuff). Thanks!


Note You need to log in before you can comment on or make changes to this bug.