Bug 533018: "Confirm match" displays full email address to logged-out users in request.cgi

r/a=mkanat
author: Frédéric Buclin <LpSolit@gmail.com> 2010-02-18 01:13:43 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2010-02-18 01:13:43 +0100
commit: 9e044b55c14320849fec284fa5452e9385153ec4 (patch)
tree: 8d228fb51a2eb162de951d15a19895850f641763 /Bugzilla/User.pm
parent: 56cb0704b45b7bd7457bbf3e4da69f9384d1c261 (diff)
download: bugzilla-9e044b55c14320849fec284fa5452e9385153ec4.tar.gz
bugzilla-9e044b55c14320849fec284fa5452e9385153ec4.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 240fcfcdb..7dd86f301 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1066,7 +1066,8 @@ sub match {
     # first try wildcards
     my $wildstr = $str;
 
-    if ($wildstr =~ s/\*/\%/g) { # don't do wildcards if no '*' in the string
+    # Do not do wildcards if there is no '*' in the string.
+    if ($wildstr =~ s/\*/\%/g && $user->id) {
         # Build the query.
         trick_taint($wildstr);
         my $query  = "SELECT DISTINCT userid FROM profiles ";
@@ -1101,7 +1102,7 @@ sub match {
     }
 
     # then try substring search
-    if (!scalar(@users) && length($str) >= 3) {
+    if (!scalar(@users) && length($str) >= 3 && $user->id) {
         trick_taint($str);
 
         my $query   = "SELECT DISTINCT userid FROM profiles ";
author	Frédéric Buclin <LpSolit@gmail.com>	2010-02-18 01:13:43 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2010-02-18 01:13:43 +0100
commit	9e044b55c14320849fec284fa5452e9385153ec4 (patch)
tree	8d228fb51a2eb162de951d15a19895850f641763 /Bugzilla/User.pm
parent	56cb0704b45b7bd7457bbf3e4da69f9384d1c261 (diff)
download	bugzilla-9e044b55c14320849fec284fa5452e9385153ec4.tar.gz bugzilla-9e044b55c14320849fec284fa5452e9385153ec4.tar.xz