summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Green <sgreen@redhat.com>2013-02-19 18:14:59 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2013-02-19 18:14:59 +0100
commit0bd4c361b4a5fe0e0773e77571a84234b8f91f76 (patch)
tree4cd125aa182bc215c61dca04f06054a0786e7fa5
parent7e4fb28341abfe2a5c31645e20c5804229e8eaea (diff)
downloadbugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.gz
bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.xz
Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
r/a=LpSolit
-rw-r--r--Bugzilla/Config/GroupSecurity.pm8
-rwxr-xr-xbuglist.cgi5
-rwxr-xr-xreport.cgi8
-rw-r--r--template/en/default/admin/params/groupsecurity.html.tmpl3
4 files changed, 22 insertions, 2 deletions
diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm
index f7f717379..6296583d9 100644
--- a/Bugzilla/Config/GroupSecurity.pm
+++ b/Bugzilla/Config/GroupSecurity.pm
@@ -81,6 +81,14 @@ sub get_param_list {
},
{
+ name => 'debug_group',
+ type => 's',
+ choices => \&_get_all_group_names,
+ default => 'admin',
+ checker => \&check_group
+ },
+
+ {
name => 'usevisibilitygroups',
type => 'b',
default => 0
diff --git a/buglist.cgi b/buglist.cgi
index 7439b78ee..b5604d2bd 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -786,7 +786,10 @@ $params->delete('limit') if $vars->{'default_limited'};
# Query Execution
################################################################################
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+ && Bugzilla->params->{debug_group}
+ && $user->in_group(Bugzilla->params->{debug_group})
+) {
$vars->{'debug'} = 1;
$vars->{'query'} = $query;
# Explains are limited to admins because you could use them to figure
diff --git a/report.cgi b/report.cgi
index 5d5033b7d..7bff62be9 100755
--- a/report.cgi
+++ b/report.cgi
@@ -226,7 +226,13 @@ $vars->{'width'} = $width if $width;
$vars->{'height'} = $height if $height;
$vars->{'query'} = $query;
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+ && Bugzilla->params->{debug_group}
+ && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+ $vars->{'debug'} = 1;
+}
if ($action eq "wrap") {
# So which template are we using? If action is "wrap", we will be using
diff --git a/template/en/default/admin/params/groupsecurity.html.tmpl b/template/en/default/admin/params/groupsecurity.html.tmpl
index ab39a9149..783099a11 100644
--- a/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -42,6 +42,9 @@
querysharegroup => "The name of the group of users who can share their " _
"saved searches with others.",
+ debug_group => "The name of the group of users who can view the actual " _
+ "SQL query generated when viewing $terms.bug lists and reports.",
+
usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
"specific groups?",