summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjake%acutex.net <>2001-06-02 23:24:45 +0200
committerjake%acutex.net <>2001-06-02 23:24:45 +0200
commitb42289bb5c84bff0bc610c8d3d87b63e4246a240 (patch)
tree9145832fb4cadc38d242f98b554c4a68c089e43b
parentb0aff47d71d587a512673fe78c910024fc675f9d (diff)
downloadbugzilla-b42289bb5c84bff0bc610c8d3d87b63e4246a240.tar.gz
bugzilla-b42289bb5c84bff0bc610c8d3d87b63e4246a240.tar.xz
sanitycheck.cgi was able to be run by anybody - even people without Bugzilla accounts. It is now restricted to only people with the editbugs permission (bug 54556).
Patch by Myk Melez <myk@mozilla.org> r= jake@acutex.net
-rwxr-xr-xsanitycheck.cgi17
1 files changed, 16 insertions, 1 deletions
diff --git a/sanitycheck.cgi b/sanitycheck.cgi
index 2da7fde2f..bc3b823c7 100755
--- a/sanitycheck.cgi
+++ b/sanitycheck.cgi
@@ -27,10 +27,25 @@ require "CGI.pl";
use vars %::FORM;
+ConnectToDatabase();
+
+confirm_login();
+
+# Make sure the user is authorized to access sanitycheck.cgi. Access
+# is restricted to logged-in users who have "editbugs" privileges,
+# which is a reasonable compromise between allowing all users to access
+# the script (creating the potential for denial of service attacks)
+# and restricting access to this installation's administrators (which
+# prevents users with a legitimate interest in Bugzilla integrity
+# from accessing the script).
+UserInGroup("editbugs")
+ || DisplayError("You are not authorized to access this script,
+ which is reserved for users with the ability to edit bugs.")
+ && exit;
+
print "Content-type: text/html\n";
print "\n";
-ConnectToDatabase();
SendSQL("set SQL_BIG_TABLES=1");
my $offervotecacherebuild = 0;