diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2010-02-01 22:19:31 +0100 |
---|---|---|
committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-02-01 22:19:31 +0100 |
commit | 6d11d68f570d4d921f078a67ce1928703df4bf2e (patch) | |
tree | c97a1429bde0a22dfbee73a9900d663d43692b00 | |
parent | d80ce7526c14db8737febb824347c1ee09af2707 (diff) | |
download | bugzilla-6d11d68f570d4d921f078a67ce1928703df4bf2e.tar.gz bugzilla-6d11d68f570d4d921f078a67ce1928703df4bf2e.tar.xz |
Bug 532493: [SECURITY] Restricting a bug to a group while moving it to another product has no effect if the group is not used by both products
Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
-rw-r--r-- | Bugzilla/Bug.pm | 27 | ||||
-rwxr-xr-x | process_bug.cgi | 37 |
2 files changed, 20 insertions, 44 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 1eaafb698..fd28b5b82 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -643,33 +643,6 @@ sub run_create_validators { return $params; } -sub set_all { - my ($self, $args) = @_; - - # For security purposes, and because lots of other checks depend on it, - # we set the product first before anything else. - my $product_change = 0; - if ($args->{product}) { - my $changed = $self->set_product($args->{product}, - { component => $args->{component}, - version => $args->{version}, - target_milestone => $args->{target_milestone}, - change_confirmed => $args->{confirm_product_change}, - other_bugs => $args->{other_bugs}, - }); - # that will be used later to check strict isolation - $product_change = $changed; - } - - # add/remove groups - $self->remove_group($_) foreach @{$args->{remove_group}}; - $self->add_group($_) foreach @{$args->{add_group}}; - - # this is temporary until all related code is moved from - # process_bug.cgi to set_all - return $product_change; -} - sub update { my $self = shift; diff --git a/process_bug.cgi b/process_bug.cgi index 6c9baa3d3..237588ebd 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -236,36 +236,39 @@ foreach my $bug (@bug_objects) { } } -my $product_change; -foreach my $bug (@bug_objects) { - my $args; - if (should_set('product')) { - $args->{product} = scalar $cgi->param('product'); - $args->{component} = scalar $cgi->param('component'); - $args->{version} = scalar $cgi->param('version'); - $args->{target_milestone} = scalar $cgi->param('target_milestone'); - $args->{confirm_product_change} = scalar $cgi->param('confirm_product_change'); - $args->{other_bugs} = \@bug_objects; +# For security purposes, and because lots of other checks depend on it, +# we set the product first before anything else. +my $product_change; # Used only for strict_isolation checks, right now. +if (should_set('product')) { + foreach my $b (@bug_objects) { + my $changed = $b->set_product(scalar $cgi->param('product'), + { component => scalar $cgi->param('component'), + version => scalar $cgi->param('version'), + target_milestone => scalar $cgi->param('target_milestone'), + change_confirmed => scalar $cgi->param('confirm_product_change'), + other_bugs => \@bug_objects, + }); + $product_change ||= $changed; } +} - foreach my $group (@{$bug->product_obj->groups_valid}) { +# strict_isolation checks mean that we should set the groups +# immediately after changing the product. +foreach my $b (@bug_objects) { + foreach my $group (@{$b->product_obj->groups_valid}) { my $gid = $group->id; if (should_set("bit-$gid", 1)) { # Check ! first to avoid having to check defined below. if (!$cgi->param("bit-$gid")) { - push (@{$args->{remove_group}}, $gid); + $b->remove_group($gid); } # "== 1" is important because mass-change uses -1 to mean # "don't change this restriction" elsif ($cgi->param("bit-$gid") == 1) { - push (@{$args->{add_group}}, $gid); + $b->add_group($gid); } } } - - # this will be deleted later when code moves to $bug->set_all - my $changed = $bug->set_all($args); - $product_change ||= $changed; } # Flags should be set AFTER the bug has been moved into another product/component. |