diff options
| author | justdave%syndicomm.com <> | 2001-11-21 17:30:47 +0100 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-11-21 17:30:47 +0100 |
| commit | 6bba72d1c264bb3469c0350ef29ca65bc6004a77 (patch) | |
| tree | d96913c081d0c8470daa93f4ffcf782c73d9e3e5 | |
| parent | dd8f8cedb0637e5afb46bf50e3e6569520b88f7b (diff) | |
| download | bugzilla-6bba72d1c264bb3469c0350ef29ca65bc6004a77.tar.gz bugzilla-6bba72d1c264bb3469c0350ef29ca65bc6004a77.tar.xz | |
Fix for bug 102141: SECURITY FIX - the Product popup menu on the show_bug form listed all products, even if the user didn't
have access to all of them. It now only shows products the user has access to (and the product the bug is in, if the user is
viewing it because of some other override)
Patch by George Hotelling <george.hotelling@iconideas.com> and Dave Miller <justdave@syndicomm.com>
r= bbaetz, caillon
| -rw-r--r-- | bug_form.pl | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/bug_form.pl b/bug_form.pl index 67829d111..2f8cea0a5 100644 --- a/bug_form.pl +++ b/bug_form.pl @@ -38,7 +38,6 @@ sub bug_form_pl_sillyness { $zz = @::legal_keywords; $zz = @::legal_opsys; $zz = @::legal_platform; - $zz = @::legal_product; $zz = @::legal_priority; $zz = @::settable_resolution; $zz = @::legal_severity; @@ -149,6 +148,49 @@ if (defined $URL && $URL ne "none" && $URL ne "NULL" && $URL ne "") { $URL = "<B>URL:</B>"; } +# +# Make a list of products the user has access to +# + +my (@prodlist, $product_popup); +foreach my $p (sort(keys %::versions)) { + if ($p eq $bug{'product'}) { + # if it's the product the bug is already in, it's ALWAYS in + # the popup, period, whether the user can see it or not, and + # regardless of the disallownew setting. + push(@prodlist, $p); + next; + } + if (defined $::proddesc{$p} && $::proddesc{$p} eq '0') { + # Special hack. If we stuffed a "0" into proddesc, that means + # that disallownew was set for this bug, and so we don't want + # to allow people to specify that product here. + next; + } + if(Param("usebuggroupsentry") + && GroupExists($p) + && !UserInGroup($p)) + { + # If we're using bug groups to restrict entry on products, and + # this product has a bug group, and the user is not in that + # group, we don't want to include that product in this list. + next; + } + push(@prodlist, $p); +} + +# If the user has access to multiple products, display a popup, otherwise +# display the current product. + +if (1 < @prodlist) { + $product_popup = "<SELECT NAME=product>" . + make_options(\@prodlist, $bug{'product'}) . + "</SELECT>"; +} +else { + $product_popup = $bug{'product'}; +} + print " <INPUT TYPE=HIDDEN NAME=\"delta_ts\" VALUE=\"$bug{'delta_ts'}\"> <INPUT TYPE=HIDDEN NAME=\"longdesclength\" VALUE=\"$longdesclength\"> @@ -162,9 +204,7 @@ print " <TD ALIGN=RIGHT><B>Reporter:</B></TD><TD>$bug{'reporter'}</TD> </TR><TR> <TD ALIGN=RIGHT><B>Product:</B></TD> - <TD><SELECT NAME=product>" . - make_options(\@::legal_product, $bug{'product'}) . - "</SELECT></TD> + <TD>$product_popup</TD> <TD> </TD> <TD ALIGN=RIGHT><B>OS:</B></TD> <TD><SELECT NAME=op_sys>" . |