From 12a9dcbb24b2abf8adf35f587c2d81ea273f60b7 Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Mon, 7 Dec 2020 00:08:56 +0100 Subject: [PATCH] Prevent disclosure of private issue summary Insufficient access level checks allowed an attacker to display private issues' summary via Group Actions (bug_actiongroup_page.php). Going through the provided list of issue IDs (bug_arr[]) and removing any issues the user does not have access to, fixes the vulnerability. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for reporting the issue. Fixes #27727, #27357, CVE-2020-29605 --- bug_actiongroup_page.php | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php index 2610ab9cb2..800a259692 100644 --- a/bug_actiongroup_page.php +++ b/bug_actiongroup_page.php @@ -73,16 +73,17 @@ $t_project_id = ALL_PROJECTS; $t_multiple_projects = false; $t_projects = array(); - -# Array of parameters to be used with plugin event -$t_event_params = array(); -$t_event_params['bug_ids'] = $f_bug_arr; -$t_event_params['action'] = $f_action; -$t_event_params['has_bugnote'] = false; +$t_view_bug_threshold = config_get( 'view_bug_threshold' ); bug_cache_array_rows( $f_bug_arr ); -foreach( $f_bug_arr as $t_bug_id ) { +foreach( $f_bug_arr as $t_key => $t_bug_id ) { + # Remove any issues the user doesn't have access to + if( !access_has_bug_level( $t_view_bug_threshold, $t_bug_id ) ) { + unset( $f_bug_arr[$t_key] ); + continue; + } + $t_bug = bug_get( $t_bug_id ); if( $t_project_id != $t_bug->project_id ) { if( ( $t_project_id != ALL_PROJECTS ) && !$t_multiple_projects ) { @@ -93,6 +94,12 @@ } } } + +# Array of parameters to be used with plugin event +$t_event_params = array(); +$t_event_params['bug_ids'] = $f_bug_arr; +$t_event_params['action'] = $f_action; +$t_event_params['has_bugnote'] = false; $t_event_params['multiple_projects'] = $t_multiple_projects; if( $t_multiple_projects ) {