summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2003-11-03 12:20:49 +0100
committerjustdave%syndicomm.com <>2003-11-03 12:20:49 +0100
commit808d96e117740d8cd8221dbf3c82c54de1bb7272 (patch)
tree4a74d0ab4379e8f8dd7a758256cfc779be4acc00
parent92b479d9cc1a9ffcd0d8b738c0717bb35dbeed61 (diff)
downloadbugzilla-808d96e117740d8cd8221dbf3c82c54de1bb7272.tar.gz
bugzilla-808d96e117740d8cd8221dbf3c82c54de1bb7272.tar.xz
[SECURITY] Bug 209376: If you know the email address of someone who has voted on a secure bug, you can access the summary of that bug even if you do not have sufficient permissions to view the bug itself.
Patch by Gervase Markham <gerv@mozilla.org> r= justdave, bbaetz a= justdave
-rwxr-xr-xvotes.cgi10
1 files changed, 3 insertions, 7 deletions
diff --git a/votes.cgi b/votes.cgi
index 0d9cf47b6..ed7f6ad51 100755
--- a/votes.cgi
+++ b/votes.cgi
@@ -128,12 +128,8 @@ sub show_user {
my $bug_id = $::FORM{'bug_id'} || "";
my $name = $::FORM{'user'} || Bugzilla->user->login;
- my $who = DBname_to_id($name);
-
- # After DBNameToIdAndCheck is templatised and prints a Content-Type,
- # the above should revert to a call to that function, and this
- # special error handling should go away.
- $who || ThrowUserError("invalid_username", {name => $name});
+ my $who = DBNameToIdAndCheck($name);
+ my $userid = Bugzilla->user ? Bugzilla->user->id : 0;
my $canedit = 1 if (Bugzilla->user &&
$name eq Bugzilla->user->login);
@@ -193,7 +189,7 @@ sub show_user {
# and they can see there are votes 'missing', but not on what bug
# they are. This seems a reasonable compromise; the alternative is
# to lie in the totals.
- next if !CanSeeBug($id, $who);
+ next if !CanSeeBug($id, $userid);
push (@bugs, { id => $id,
summary => $summary,