summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorterry%mozilla.org <>1999-05-28 00:17:25 +0200
committerterry%mozilla.org <>1999-05-28 00:17:25 +0200
commitf47c0339e2c258c878e6284970d917dcd3960cba (patch)
treece7a23f45dfc55420b74e8cb4c7c4fb956261421
parent9b1a447768cf2986a77c341274a254f06fe9d79d (diff)
downloadbugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.gz
bugzilla-f47c0339e2c258c878e6284970d917dcd3960cba.tar.xz
Patched minor security hole; don't show summary of bugs that the user
doesn't have permission to see.
-rwxr-xr-xshowdependencygraph.cgi6
-rwxr-xr-xshowdependencytree.cgi8
2 files changed, 12 insertions, 2 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 6ead9f84d..7e06ffc62 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -47,6 +47,8 @@ PutHeader("Dependency graph", "Dependency graph", $id);
if (defined $id) {
ConnectToDatabase();
+ quietly_check_login();
+ $::usergroupset = $::usergroupset; # More warning suppression silliness.
mkdir("data/webdot", 0777);
@@ -99,8 +101,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey]
my $summary = "";
my $stat;
if ($::FORM{'showsummary'}) {
- SendSQL("select bug_status, short_desc from bugs where bug_id = $k");
+ SendSQL("select bug_status, short_desc from bugs where bug_id = $k and bugs.groupset & $::usergroupset = bugs.groupset");
($stat, $summary) = (FetchSQLData());
+ $stat = "NEW" if !defined $stat;
+ $summary = "" if !defined $summary;
} else {
SendSQL("select bug_status from bugs where bug_id = $k");
$stat = FetchOneColumn();
diff --git a/showdependencytree.cgi b/showdependencytree.cgi
index 92964648f..f457d67a3 100755
--- a/showdependencytree.cgi
+++ b/showdependencytree.cgi
@@ -37,6 +37,10 @@ PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid");
ConnectToDatabase();
+quietly_check_login();
+
+$::usergroupset = $::usergroupset; # More warning suppression silliness.
+
my %seen;
sub DumpKids {
@@ -53,8 +57,10 @@ sub DumpKids {
if (@list) {
print "<ul>\n";
foreach my $kid (@list) {
- SendSQL("select bug_status, short_desc from bugs where bug_id = $kid");
+ SendSQL("select bug_status, short_desc from bugs where bug_id = $kid and bugs.groupset & $::usergroupset = bugs.groupset");
my ($stat, $short_desc) = (FetchSQLData());
+ $stat = "NEW" if !defined $stat;
+ $short_desc = "" if !defined $short_desc;
my $opened = ($stat eq "NEW" || $stat eq "ASSIGNED" ||
$stat eq "REOPENED");
print "<li>";