0007772: email notifications bypass security on custom fields

ID	Project	Category	View Status	Date Submitted	Last Update
0007772	mantisbt	security	public	2007-02-20 11:34	2007-05-08 03:43

Reporter	daudo	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.6
Target Version	1.0.7	Fixed in Version	1.0.7

Summary	0007772: email notifications bypass security on custom fields
Description	this is very much like 0007364 and 0003375, except that this time it is about the email notifications that are sent out. IMO, this is at least as critical as it was for the bug history.
Tags	No tags attached.
Attached Files	custom_fields_vs_email.patch (503 bytes) --- email_api.php 2005-08-04 22:57:50.000000000 +0200 +++ email_api.php.new 2007-02-21 01:38:31.042770584 +0100 @@ -1081,7 +1080,7 @@ # put history data if ( ( ON == config_get( 'history_default_visible' ) ) && access_compare_level( $t_user_access_level, config_get( 'view_history_threshold' ) ) ) { - $t_bug_data['history'] = history_get_raw_events_array( $p_bug_id ); + $t_bug_data['history'] = history_get_raw_events_array( $p_bug_id, $p_user_id ); } # Sponsorship Information custom_fields_vs_email.patch (503 bytes)

daudo 2007-02-20 18:40 reporter ~0014077	OK, so here comes a small patch that fixes this issue. Please note that I am reporting this using Debian's patched version 1.0.6 that incorporates the patch from 0007743. However, even that will not be sufficient unless bug 0007774 is resolved as well. Don't know if that also applies to the 1.1.0 development tree.

vboctor 2007-03-05 09:28 manager ~0014128	Although the access check on custom field values in bug history is implemented in the 1.1.x branch, this issue seems to be applicable to it and needs to be fixed there as well.