diff options
author | Simon Green <sgreen@redhat.com> | 2013-02-19 18:11:40 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:11:40 +0100 |
commit | e2c8da0dfc534ffca6232cc7d370299d5d446604 (patch) | |
tree | 94031fcc7203f315398ddb7d3055908769e99294 | |
parent | fab1e128fd61a78809ee967279e8acc6b6962f1e (diff) | |
download | bugzilla-e2c8da0dfc534ffca6232cc7d370299d5d446604.tar.gz bugzilla-e2c8da0dfc534ffca6232cc7d370299d5d446604.tar.xz |
Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
r/a=LpSolit
-rw-r--r-- | Bugzilla/Config/GroupSecurity.pm | 8 | ||||
-rwxr-xr-x | buglist.cgi | 5 | ||||
-rwxr-xr-x | report.cgi | 8 | ||||
-rw-r--r-- | template/en/default/admin/params/groupsecurity.html.tmpl | 3 |
4 files changed, 22 insertions, 2 deletions
diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm index d5f02f42d..d57573de3 100644 --- a/Bugzilla/Config/GroupSecurity.pm +++ b/Bugzilla/Config/GroupSecurity.pm @@ -58,6 +58,14 @@ sub get_param_list { }, { + name => 'debug_group', + type => 's', + choices => \&_get_all_group_names, + default => 'admin', + checker => \&check_group + }, + + { name => 'usevisibilitygroups', type => 'b', default => 0 diff --git a/buglist.cgi b/buglist.cgi index 625b7eab8..97654cdf2 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -721,7 +721,10 @@ $::SIG{PIPE} = 'DEFAULT'; my ($data, $extra_data) = $search->data; $vars->{'search_description'} = $search->search_description; -if ($cgi->param('debug')) { +if ($cgi->param('debug') + && Bugzilla->params->{debug_group} + && $user->in_group(Bugzilla->params->{debug_group}) +) { $vars->{'debug'} = 1; $vars->{'queries'} = $extra_data; my $query_time = 0; diff --git a/report.cgi b/report.cgi index 2949a18c3..5e51bd34a 100755 --- a/report.cgi +++ b/report.cgi @@ -258,7 +258,13 @@ $vars->{'width'} = $width; $vars->{'height'} = $height; $vars->{'queries'} = $extra_data; $vars->{'saved_report_id'} = $cgi->param('saved_report_id'); -$vars->{'debug'} = $cgi->param('debug'); + +if ($cgi->param('debug') + && Bugzilla->params->{debug_group} + && Bugzilla->user->in_group(Bugzilla->params->{debug_group}) +) { + $vars->{'debug'} = 1; +} if ($action eq "wrap") { # So which template are we using? If action is "wrap", we will be using diff --git a/template/en/default/admin/params/groupsecurity.html.tmpl b/template/en/default/admin/params/groupsecurity.html.tmpl index 86cbedcf8..7e30f0723 100644 --- a/template/en/default/admin/params/groupsecurity.html.tmpl +++ b/template/en/default/admin/params/groupsecurity.html.tmpl @@ -29,6 +29,9 @@ querysharegroup => "The name of the group of users who can share their " _ "saved searches with others.", + debug_group => "The name of the group of users who can view the actual " _ + "SQL query generated when viewing $terms.bug lists and reports.", + usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _ "specific groups?", |