From a9ae7dc999f0d64408720883fbb1be166a7b9e52 Mon Sep 17 00:00:00 2001
From: "justdave%bugzilla.org" <justdave%bugzilla.org>
Date: Mon, 25 Oct 2004 07:19:05 +0000
Subject: [PATCH] [SECURITY] Bug 252638: It is possible to send a carefully
 crafted HTTP POST message to process_bug.cgi which will remove keywords from
 a bug even if you don't have permissions to edit all bug fields (the
 "editbugs" permission).  Such changes are reported in "bug changed" email
 notifications, so they are easily detected and reversed if someone abuses it.
 Patch by Myk Melez <myk@mozilla.org> r=gerv, a=justdave

---
 webtools/bugzilla/process_bug.cgi | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/webtools/bugzilla/process_bug.cgi b/webtools/bugzilla/process_bug.cgi
index 9e47d8f98a89..c265ab8b9d1e 100755
--- a/webtools/bugzilla/process_bug.cgi
+++ b/webtools/bugzilla/process_bug.cgi
@@ -1034,6 +1034,9 @@ if ($::FORM{'keywords'}) {
 }
 
 my $keywordaction = $::FORM{'keywordaction'} || "makeexact";
+if (!grep($keywordaction eq $_, qw(add delete makeexact))) {
+    $keywordaction = "makeexact";
+}
 
 if ($::comma eq ""
     && (! @groupAdd) && (! @groupDel)
@@ -1174,6 +1177,23 @@ foreach my $id (@idlist) {
         $i++;
     }
 
+    # When editing multiple bugs, users can specify a list of keywords to delete
+    # from bugs.  If the list matches the current set of keywords on those bugs,
+    # CheckCanChangeField above will fail to check permissions because it thinks
+    # the list hasn't changed.  To fix that, we have to call CheckCanChangeField
+    # again with old!=new if the keyword action is "delete" and old=new.
+    if ($keywordaction eq "delete"
+        && exists $::FORM{keywords}
+        && length(@keywordlist) > 0
+        && $::FORM{keywords} eq $oldhash{keywords}
+        && !CheckCanChangeField("keywords", $id, "old is not", "equal to new"))
+    {
+        $vars->{'oldvalue'} = $oldhash{keywords};
+        $vars->{'newvalue'} = "no keywords";
+        $vars->{'field'} = "keywords";
+        ThrowUserError("illegal_change", $vars, "abort");
+    }
+
     $oldhash{'product'} = get_product_name($oldhash{'product_id'});
     if (!CanEditProductId($oldhash{'product_id'})) {
         ThrowUserError("product_edit_denied",
@@ -1311,7 +1331,7 @@ foreach my $id (@idlist) {
         $bug_changed = 1;
     }
 
-    if (@::legal_keywords) {
+    if (@::legal_keywords && exists $::FORM{keywords}) {
         # There are three kinds of "keywordsaction": makeexact, add, delete.
         # For makeexact, we delete everything, and then add our things.
         # For add, we delete things we're adding (to make sure we don't