Package: bugzilla
Severity: important
Tags: security
Hi,
Please see http://www.bugzilla.org/security/3.2.8/.
I'm attaching the extracted fixes, please apply/upload once the
current upload has migrated to Squeeze.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
diff -urN --exclude=CVS --exclude='lib/CGI*' --exclude=docs --exclude=.bzr bugzilla-3.6.2/Bugzilla/CGI.pm bugzilla-3.6.3/Bugzilla/CGI.pm
--- bugzilla-3.6.2/Bugzilla/CGI.pm 2010-07-15 10:34:25.000000000 -0700
+++ bugzilla-3.6.3/Bugzilla/CGI.pm 2010-11-02 16:35:08.000000000 -0700
@@ -223,7 +221,8 @@
}
# Set the MIME boundary and content-type
- my $boundary = $param{'-boundary'} || '------- =_aaaaaaaaaa0';
+ my $boundary = $param{'-boundary'}
+ || '------- =_' . generate_random_password(16);
delete $param{'-boundary'};
$self->{'separator'} = "\r\n--$boundary\r\n";
$self->{'final_separator'} = "\r\n--$boundary--\r\n";
=== modified file 'Bugzilla/Constants.pm'
--- Bugzilla/Constants.pm 2010-08-06 02:30:01 +0000
+++ Bugzilla/Constants.pm 2010-10-24 21:50:43 +0000
@@ -543,6 +543,7 @@
'datadir' => "$libpath/$datadir",
'attachdir' => "$libpath/$datadir/attachments",
'skinsdir' => "$libpath/skins",
+ 'graphsdir' => "$libpath/graphs",
# $webdotdir must be in the web server's tree somewhere. Even if you
use a
# local dot, we output images to there. Also, if $webdotdir is
# not relative to the bugzilla root directory, you'll need to
=== modified file 'Bugzilla/Install/Filesystem.pm'
--- Bugzilla/Install/Filesystem.pm 2010-07-13 23:03:47 +0000
+++ Bugzilla/Install/Filesystem.pm 2010-10-24 21:59:38 +0000
@@ -74,6 +74,7 @@
my $extlib = bz_locations()->{'ext_libpath'};
my $skinsdir = bz_locations()->{'skinsdir'};
my $localconfig = bz_locations()->{'localconfig'};
+ my $graphsdir = bz_locations()->{'graphsdir'};
# We want to set the permissions the same for all localconfig files
# across all PROJECTs, so we do something special with $localconfig,
@@ -176,7 +177,7 @@
dirs => $ws_dir_writeable },
$webdotdir => { files => $ws_writeable,
dirs => $ws_dir_writeable },
- graphs => { files => $ws_writeable,
+ $graphsdir => { files => $ws_writeable,
dirs => $ws_dir_writeable },
# Readable directories
@@ -228,7 +229,7 @@
"$datadir/extensions" => $ws_dir_readable,
$attachdir => $ws_dir_writeable,
$extensionsdir => $ws_dir_readable,
- graphs => $ws_dir_writeable,
+ $graphsdir => $ws_dir_writeable,
$webdotdir => $ws_dir_writeable,
"$skinsdir/custom" => $ws_dir_readable,
"$skinsdir/contrib" => $ws_dir_readable,
@@ -331,8 +332,17 @@
# in a subdirectory.
deny from all
EOT
-
-
+ },
+
+ "$graphsdir/.htaccess" => { perms => $ws_readable, contents => <<EOT
+# Allow access to .png and .gif files.
+<FilesMatch (\\.gif|\\.png)\$>
+ Allow from all
+</FilesMatch>
+
+# And no directory listings, either.
+Deny from all
+EOT
},
);
@@ -358,10 +368,11 @@
my %files = %{$fs->{create_files}};
my $datadir = bz_locations->{'datadir'};
+ my $graphsdir = bz_locations->{'graphsdir'};
# If the graphs/ directory doesn't exist, we're upgrading from
# a version old enough that we need to update the $datadir/mining
# format.
- if (-d "$datadir/mining" && !-d 'graphs') {
+ if (-d "$datadir/mining" && !-d $graphsdir) {
_update_old_charts($datadir);
}
=== modified file 'collectstats.pl'
--- collectstats.pl 2010-07-06 18:09:26 +0000
+++ collectstats.pl 2010-10-24 21:52:06 +0000
@@ -49,9 +49,12 @@
# in the regenerate mode).
$| = 1;
+my $datadir = bz_locations()->{'datadir'};
+my $graphsdir = bz_locations()->{'graphsdir'};
+
# Tidy up after graphing module
my $cwd = Cwd::getcwd();
-if (chdir("graphs")) {
+if (chdir($graphsdir)) {
unlink <./*.gif>;
unlink <./*.png>;
# chdir("..") doesn't work if graphs is a symlink, see bug 429378
@@ -68,8 +71,6 @@
$regenerate = 1;
}
-my $datadir = bz_locations()->{'datadir'};
-
my @myproducts = map {$_->name} Bugzilla::Product->get_all;
unshift(@myproducts, "-All-");
=== modified file 'reports.cgi'
--- reports.cgi 2009-10-24 05:21:06 +0000
+++ reports.cgi 2010-10-24 21:50:43 +0000
@@ -45,31 +45,28 @@
use Bugzilla::Error;
use Bugzilla::Status;
+use File::Basename;
+use Digest::MD5 qw(md5_hex);
+
# If we're using bug groups for products, we should apply those restrictions
# to viewing reports, as well. Time to check the login in that case.
my $user = Bugzilla->login();
+my $cgi = Bugzilla->cgi;
+my $template = Bugzilla->template;
+my $vars = {};
if (!Bugzilla->feature('old_charts')) {
ThrowCodeError('feature_disabled', { feature => 'old_charts' });
}
my $dir = bz_locations()->{'datadir'} . "/mining";
-my $graph_url = 'graphs';
-my $graph_dir = bz_locations()->{'libpath'} . '/' .$graph_url;
+my $graph_dir = bz_locations()->{'graphsdir'};
+my $graph_url = basename($graph_dir);
+my $product_name = $cgi->param('product') || '';
Bugzilla->switch_to_shadow_db();
-my $cgi = Bugzilla->cgi;
-my $template = Bugzilla->template;
-my $vars = {};
-
-# We only want those products that the user has permissions for.
-my @myproducts;
-push( @myproducts, "-All-");
-# Extract product names from objects and add them to the list.
-push( @myproducts, map { $_->name } @{$user->get_selectable_products} );
-
-if (! defined $cgi->param('product')) {
+if (!$product_name) {
# Can we do bug charts?
(-d $dir && -d $graph_dir)
|| ThrowCodeError('chart_dir_nonexistent',
@@ -87,51 +84,62 @@
push(@datasets, $datasets);
}
+ # We only want those products that the user has permissions for.
+ my @myproducts = ('-All-');
+ # Extract product names from objects and add them to the list.
+ push( @myproducts, map { $_->name } @{$user->get_selectable_products} );
+
$vars->{'datasets'} = \...@datasets;
$vars->{'products'} = \...@myproducts;
print $cgi->header();
-
- $template->process('reports/old-charts.html.tmpl', $vars)
- || ThrowTemplateError($template->error());
- exit;
}
else {
- my $product = $cgi->param('product');
-
# For security and correctness, validate the value of the "product" form
variable.
# Valid values are those products for which the user has permissions which
appear
# in the "product" drop-down menu on the report generation form.
- grep($_ eq $product, @myproducts)
- || ThrowUserError("invalid_product_name", {product => $product});
-
- # We've checked that the product exists, and that the user can see it
- # This means that is OK to detaint
- trick_taint($product);
-
- defined($cgi->param('datasets')) || ThrowUserError('missing_datasets');
-
- my $datasets = join('', $cgi->param('datasets'));
-
+ my ($product) = grep { $_->name eq $product_name }
@{$user->get_selectable_products};
+ ($product || $product_name eq '-All-')
+ || ThrowUserError('invalid_product_name', {product => $product_name});
+
+ # Product names can change over time. Their ID cannot; so use the ID
+ # to generate the filename.
+ my $prod_id = $product ? $product->id : 0;
+
+ # Make sure there is something to plot.
+ my @datasets = $cgi->param('datasets');
+ scalar(@datasets) || ThrowUserError('missing_datasets');
+
+ if (grep { $_ !~ /^[A-Za-z0-9:_-]+$/ } @datasets) {
+ ThrowUserError('invalid_datasets', {'datasets' => \...@datasets});
+ }
+
+ # Filenames must not be guessable as they can point to products
+ # you are not allowed to see. Also, different projects can have
+ # the same product names.
+ my $key = Bugzilla->localconfig->{'site_wide_secret'};
+ my $project = bz_locations()->{'project'} || '';
+ my $image_file = join(':', ($key, $project, $prod_id, @datasets));
+ # Wide characters cause md5_hex() to die.
+ if (Bugzilla->params->{'utf8'}) {
+ utf8::encode($image_file) if utf8::is_utf8($image_file);
+ }
my $type = chart_image_type();
- my $data_file = daily_stats_filename($product);
- my $image_file = chart_image_name($data_file, $type, $datasets);
- my $url_image = correct_urlbase() . "$graph_url/$image_file";
+ $image_file = md5_hex($image_file) . ".$type";
+ trick_taint($image_file);
if (! -e "$graph_dir/$image_file") {
- generate_chart("$dir/$data_file", "$graph_dir/$image_file", $type,
- $product, $datasets);
+ generate_chart($dir, "$graph_dir/$image_file", $type, $product,
\...@datasets);
}
- $vars->{'url_image'} = $url_image;
+ $vars->{'url_image'} = "$graph_url/$image_file";
print $cgi->header(-Content_Disposition=>'inline;
filename=bugzilla_report.html');
-
- $template->process('reports/old-charts.html.tmpl', $vars)
- || ThrowTemplateError($template->error());
- exit;
}
+$template->process('reports/old-charts.html.tmpl', $vars)
+ || ThrowTemplateError($template->error());
+
#####################
# Subroutines #
#####################
@@ -140,9 +148,8 @@
my $dir = shift;
my @datasets;
- my $datafile = daily_stats_filename('-All-');
- open(DATA, '<', "$dir/$datafile")
- || ThrowCodeError('chart_file_open_fail', {filename =>
"$dir/$datafile"});
+ open(DATA, '<', "$dir/-All-")
+ || ThrowCodeError('chart_file_open_fail', {filename => "$dir/-All-"});
while (<DATA>) {
if (/^# fields?: (.+)\s*$/) {
@@ -154,12 +161,6 @@
return @datasets;
}
-sub daily_stats_filename {
- my ($prodname) = @_;
- $prodname =~ s/\//-/gs;
- return $prodname;
-}
-
sub chart_image_type {
# what chart type should we be generating?
my $testimg = Chart::Lines->new(2,2);
@@ -169,32 +170,12 @@
return $type;
}
-sub chart_image_name {
- my ($data_file, $type, $datasets) = @_;
-
- # This routine generates a filename from the requested fields. The problem
- # is that we have to check the safety of doing this. We can't just require
- # that the fields exist, because what stats were collected could change
- # over time (eg by changing the resolutions available)
- # Instead, just require that each field name consists only of letters,
- # numbers, underscores and hyphens.
-
- if ($datasets !~ m/^[A-Za-z0-9:_-]+$/) {
- ThrowUserError('invalid_datasets', {'datasets' => $datasets});
- }
-
- # Since we pass the tests, consider it OK
- trick_taint($datasets);
-
- # Cache charts by generating a unique filename based on what they
- # show. Charts should be deleted by collectstats.pl nightly.
- my $id = join ("_", split (":", $datasets));
-
- return "${data_file}_${id}.$type";
-}
-
sub generate_chart {
- my ($data_file, $image_file, $type, $product, $datasets) = @_;
+ my ($dir, $image_file, $type, $product, $datasets) = @_;
+ $product = $product ? $product->name : '-All-';
+ my $data_file = $product;
+ $data_file =~ s/\//-/gs;
+ $data_file = $dir . '/' . $data_file;
if (! open FILE, $data_file) {
if ($product eq '-All-') {
@@ -205,7 +186,7 @@
my @fields;
my @labels = qw(DATE);
- my %datasets = map { $_ => 1 } split /:/, $datasets;
+ my %datasets = map { $_ => 1 } @$datasets;
my %data = ();
while (<FILE>) {
=== modified file 'template/en/default/global/user-error.html.tmpl'
--- template/en/default/global/user-error.html.tmpl 2010-10-14 00:43:05
+0000
+++ template/en/default/global/user-error.html.tmpl 2010-10-24 21:50:43
+0000
@@ -919,7 +919,7 @@
[% ELSIF error == "invalid_datasets" %]
[% title = "Invalid Datasets" %]
- Invalid datasets <em>[% datasets FILTER html %]</em>. Only digits,
+ Invalid datasets <em>[% datasets.join(":") FILTER html %]</em>. Only
digits,
letters and colons are allowed.
[% ELSIF error == "invalid_format" %]
=== modified file 'template/en/default/reports/old-charts.html.tmpl'
--- template/en/default/reports/old-charts.html.tmpl 2007-11-12 04:03:16
+0000
+++ template/en/default/reports/old-charts.html.tmpl 2010-10-24 21:50:43
+0000
@@ -51,7 +51,7 @@
[%# We cannot use translated statuses and resolutions from
field-descs.none.html
# because old charts do not distinguish statuses from
resolutions. %]
[% FOREACH dataset = datasets %]
- <option value="[% dataset.value FILTER html %]:"
+ <option value="[% dataset.value FILTER html %]"
[% " selected=\"selected\"" IF dataset.selected %]>
[% dataset.value FILTER html %]</option>
[% END %]
