diff options
author | justdave%bugzilla.org <> | 2004-10-25 16:33:20 +0200 |
---|---|---|
committer | justdave%bugzilla.org <> | 2004-10-25 16:33:20 +0200 |
commit | 22628e0ab83b78056beed1663af9bf14071a97fc (patch) | |
tree | 6878216f7509d4b630b08761ba06f186ec092594 | |
parent | 53bd4df6f142c240d7beaa6b6789839da1f5f164 (diff) | |
download | bugzilla-22628e0ab83b78056beed1663af9bf14071a97fc.tar.gz bugzilla-22628e0ab83b78056beed1663af9bf14071a97fc.tar.xz |
[SECURITY] Bug 253544: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when viewing the bug activity log. This only affects sites that use the 'insidergroup' feature.
Patch by Joel Peshkin <bugreport@peshkin.net>
r=zach,justdave, a=justdave
-rw-r--r-- | CGI.pl | 12 |
1 files changed, 9 insertions, 3 deletions
@@ -315,7 +315,13 @@ sub GetBugActivity { if (defined $starttime) { $datepart = "and bugs_activity.bug_when > " . SqlQuote($starttime); } - + my $suppjoins = ""; + my $suppwhere = ""; + if (Param("insidergroup") && !UserInGroup(Param('insidergroup'))) { + $suppjoins = "LEFT JOIN attachments + ON attachments.attach_id = bugs_activity.attach_id"; + $suppwhere = "AND NOT(COALESCE(attachments.isprivate,0))"; + } my $query = " SELECT COALESCE(fielddefs.description, bugs_activity.fieldid), fielddefs.name, @@ -323,11 +329,11 @@ sub GetBugActivity { DATE_FORMAT(bugs_activity.bug_when,'%Y.%m.%d %H:%i'), bugs_activity.removed, bugs_activity.added, profiles.login_name - FROM bugs_activity LEFT JOIN fielddefs ON + FROM bugs_activity $suppjoins LEFT JOIN fielddefs ON bugs_activity.fieldid = fielddefs.fieldid, profiles WHERE bugs_activity.bug_id = $id $datepart - AND profiles.userid = bugs_activity.who + AND profiles.userid = bugs_activity.who $suppwhere ORDER BY bugs_activity.bug_when"; SendSQL($query); |