diff options
| author | mkanat%kerio.com <> | 2005-07-08 14:35:20 +0200 |
|---|---|---|
| committer | mkanat%kerio.com <> | 2005-07-08 14:35:20 +0200 |
| commit | 9b11535c66ebe5103afea0eb87e92c939a975d34 (patch) | |
| tree | 7578009e82dda6eb3ab2ba8d5d843be30d7464e5 /Bugzilla/User.pm | |
| parent | 0d7a4fbf959a1c522350786e83df580476bf5642 (diff) | |
| download | bugzilla-9b11535c66ebe5103afea0eb87e92c939a975d34.tar.gz bugzilla-9b11535c66ebe5103afea0eb87e92c939a975d34.tar.xz | |
Bug 292544: [SECURITY] Can see a security-sensitive bug in buglist.cgi for a short time when there are certain performance problems
Patch By Frederic Buclin <LpSolit@gmail.com> r=joel, a=justdave
Diffstat (limited to 'Bugzilla/User.pm')
| -rw-r--r-- | Bugzilla/User.pm | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index c9817a4d9..ff88b9f3b 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -356,7 +356,7 @@ sub can_see_bug { # is cached because this may be called for every row in buglists or # every bug in a dependency list. unless ($sth) { - $sth = $dbh->prepare("SELECT reporter, assigned_to, qa_contact, + $sth = $dbh->prepare("SELECT 1, reporter, assigned_to, qa_contact, reporter_accessible, cclist_accessible, COUNT(cc.who), COUNT(bug_group_map.bug_id) FROM bugs @@ -367,22 +367,23 @@ sub can_see_bug { ON bugs.bug_id = bug_group_map.bug_id AND bug_group_map.group_ID NOT IN(" . join(',',(-1, values(%{$self->groups}))) . - ") WHERE bugs.bug_id = ? " . + ") WHERE bugs.bug_id = ? + AND creation_ts IS NOT NULL " . $dbh->sql_group_by('bugs.bug_id', 'reporter, ' . 'assigned_to, qa_contact, reporter_accessible, ' . 'cclist_accessible')); } $sth->execute($bugid); - my ($reporter, $owner, $qacontact, $reporter_access, $cclist_access, + my ($ready, $reporter, $owner, $qacontact, $reporter_access, $cclist_access, $isoncclist, $missinggroup) = $sth->fetchrow_array(); $sth->finish; $self->{sthCanSeeBug} = $sth; - return ( (($reporter == $userid) && $reporter_access) - || (Param('useqacontact') && $qacontact && - ($qacontact == $userid)) - || ($owner == $userid) - || ($isoncclist && $cclist_access) - || (!$missinggroup) ); + return ($ready + && ((($reporter == $userid) && $reporter_access) + || (Param('useqacontact') && $qacontact && ($qacontact == $userid)) + || ($owner == $userid) + || ($isoncclist && $cclist_access) + || (!$missinggroup))); } sub get_selectable_products { |