diff options
| author | mkanat%kerio.com <> | 2005-07-08 14:29:14 +0200 |
|---|---|---|
| committer | mkanat%kerio.com <> | 2005-07-08 14:29:14 +0200 |
| commit | 0d7a4fbf959a1c522350786e83df580476bf5642 (patch) | |
| tree | bdc9db68814ef7e0ff8a30a43d34f541b9c4c547 /Bugzilla/FlagType.pm | |
| parent | 4f5fe2cd8ca790ff083d5f5a9903b13afc75cb9a (diff) | |
| download | bugzilla-0d7a4fbf959a1c522350786e83df580476bf5642.tar.gz bugzilla-0d7a4fbf959a1c522350786e83df580476bf5642.tar.xz | |
Bug 293159: [SECURITY] Anyone can change flags and access bug summaries due to a bad check in Flag::validate() and Flag::modify()
Patch By Frederic Buclin <LpSolit@gmail.com> r=myk, a=justdave
Diffstat (limited to 'Bugzilla/FlagType.pm')
| -rw-r--r-- | Bugzilla/FlagType.pm | 48 |
1 files changed, 38 insertions, 10 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index ceeb9a38a..97c6f2c0e 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -325,13 +325,32 @@ and returning just the ID portion of matching field names. =cut sub validate { - my $user = Bugzilla->user; my ($cgi, $bug_id, $attach_id) = @_; - + + my $user = Bugzilla->user; + my $dbh = Bugzilla->dbh; + my @ids = map(/^flag_type-(\d+)$/ ? $1 : (), $cgi->param()); - foreach my $id (@ids) - { + return unless scalar(@ids); + + # No flag reference should exist when changing several bugs at once. + ThrowCodeError("flags_not_available", { type => 'b' }) unless $bug_id; + + # We don't check that these flag types are valid for + # this bug/attachment. This check will be done later when + # processing new flags, see Flag::FormToNewFlags(). + + # All flag types have to be active + my $inactive_flagtypes = + $dbh->selectrow_array("SELECT 1 FROM flagtypes + WHERE id IN (" . join(',', @ids) . ") + AND is_active = 0 " . + $dbh->sql_limit(1)); + + ThrowCodeError("flag_type_inactive") if $inactive_flagtypes; + + foreach my $id (@ids) { my $status = $cgi->param("flag_type-$id"); # Don't bother validating types the user didn't touch. @@ -353,22 +372,31 @@ sub validate { { id => $id , status => $status }); } + # Make sure the user didn't specify a requestee unless the flag + # is specifically requestable. + my $new_requestee = trim($cgi->param("requestee_type-$id") || ''); + + if ($status eq '?' + && !$flag_type->{is_requesteeble} + && $new_requestee) + { + ThrowCodeError("flag_requestee_disabled", + { name => $flag_type->{name} }); + } + # Make sure the requestee is authorized to access the bug # (and attachment, if this installation is using the "insider group" # feature and the attachment is marked private). if ($status eq '?' && $flag_type->{is_requesteeble} - && trim($cgi->param("requestee_type-$id"))) + && $new_requestee) { - my $requestee_email = trim($cgi->param("requestee_type-$id")); - # We know the requestee exists because we ran # Bugzilla::User::match_field before getting here. - my $requestee = Bugzilla::User->new_from_login($requestee_email); + my $requestee = Bugzilla::User->new_from_login($new_requestee); # Throw an error if the user can't see the bug. - if (!$requestee->can_see_bug($bug_id)) - { + if (!$requestee->can_see_bug($bug_id)) { ThrowUserError("flag_requestee_unauthorized", { flag_type => $flag_type, requestee => $requestee, |