Bug 1064140: [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group

r=glob,a=glob
author: Simon Green <sgreen@redhat.com> 2014-10-06 16:49:38 +0200
committer: David Lawrence <dkl@mozilla.com> 2014-10-06 16:49:38 +0200
commit: fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (patch)
tree: 01b1eeaeeecd240a743cb280e2dbf101ad2aac37 /Bugzilla/Flag.pm
parent: f33b119d68d21074d08a6bd72f960319276e182b (diff)
download: bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.gz
bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.xz
1 files changed, 21 insertions, 7 deletions
diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm
index 772a39325..50474b885 100644
--- a/Bugzilla/Flag.pm
+++ b/Bugzilla/Flag.pm
@@ -1124,18 +1124,32 @@ sub notify {
         $default_lang = Bugzilla::User->new()->setting('lang');
     }
 
+    # Get comments on the bug
+    my $all_comments = $bug->comments({ after => $bug->lastdiffed });
+    @$all_comments   = grep { $_->type || $_->body =~ /\S/ } @$all_comments;
+
+    # Get public only comments
+    my $public_comments = [ grep { !$_->is_private } @$all_comments ];
+
     foreach my $to (keys %recipients) {
         # Add threadingmarker to allow flag notification emails to be the
         # threaded similar to normal bug change emails.
         my $thread_user_id = $recipients{$to} ? $recipients{$to}->id : 0;
 
-        my $vars = { 'flag'            => $flag,
-                     'old_flag'        => $old_flag,
-                     'to'              => $to,
-                     'date'            => $timestamp,
-                     'bug'             => $bug,
-                     'attachment'      => $attachment,
-                     'threadingmarker' => build_thread_marker($bug->id, $thread_user_id) };
+        # We only want to show private comments to users in the is_insider group
+        my $comments = $recipients{$to} && $recipients{$to}->is_insider
+            ? $all_comments : $public_comments;
+
+        my $vars = {
+            flag            => $flag,
+            old_flag        => $old_flag,
+            to              => $to,
+            date            => $timestamp,
+            bug             => $bug,
+            attachment      => $attachment,
+            threadingmarker => build_thread_marker($bug->id, $thread_user_id),
+            new_comments    => $comments,
+        };
 
         my $lang = $recipients{$to} ?
           $recipients{$to}->setting('lang') : $default_lang;
author	Simon Green <sgreen@redhat.com>	2014-10-06 16:49:38 +0200
committer	David Lawrence <dkl@mozilla.com>	2014-10-06 16:49:38 +0200
commit	fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (patch)
tree	01b1eeaeeecd240a743cb280e2dbf101ad2aac37 /Bugzilla/Flag.pm
parent	f33b119d68d21074d08a6bd72f960319276e182b (diff)
download	bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.gz bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.xz