diff options
author | jake%acutex.net <> | 2001-06-02 23:24:45 +0200 |
---|---|---|
committer | jake%acutex.net <> | 2001-06-02 23:24:45 +0200 |
commit | b42289bb5c84bff0bc610c8d3d87b63e4246a240 (patch) | |
tree | 9145832fb4cadc38d242f98b554c4a68c089e43b | |
parent | b0aff47d71d587a512673fe78c910024fc675f9d (diff) | |
download | bugzilla-b42289bb5c84bff0bc610c8d3d87b63e4246a240.tar.gz bugzilla-b42289bb5c84bff0bc610c8d3d87b63e4246a240.tar.xz |
sanitycheck.cgi was able to be run by anybody - even people without Bugzilla accounts. It is now restricted to only people with the editbugs permission (bug 54556).
Patch by Myk Melez <myk@mozilla.org>
r= jake@acutex.net
-rwxr-xr-x | sanitycheck.cgi | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/sanitycheck.cgi b/sanitycheck.cgi index 2da7fde2f..bc3b823c7 100755 --- a/sanitycheck.cgi +++ b/sanitycheck.cgi @@ -27,10 +27,25 @@ require "CGI.pl"; use vars %::FORM; +ConnectToDatabase(); + +confirm_login(); + +# Make sure the user is authorized to access sanitycheck.cgi. Access +# is restricted to logged-in users who have "editbugs" privileges, +# which is a reasonable compromise between allowing all users to access +# the script (creating the potential for denial of service attacks) +# and restricting access to this installation's administrators (which +# prevents users with a legitimate interest in Bugzilla integrity +# from accessing the script). +UserInGroup("editbugs") + || DisplayError("You are not authorized to access this script, + which is reserved for users with the ability to edit bugs.") + && exit; + print "Content-type: text/html\n"; print "\n"; -ConnectToDatabase(); SendSQL("set SQL_BIG_TABLES=1"); my $offervotecacherebuild = 0; |