summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2010-08-04 23:25:07 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2010-08-04 23:25:07 +0200
commit1741f7c98b480f25fa707011e00765353499dd8f (patch)
treea737a5ec8410feb5a5ea340eeb9392c330fed04f /Bugzilla
parent1424273134c4adf6378a486be8188709b85bf648 (diff)
downloadbugzilla-1741f7c98b480f25fa707011e00765353499dd8f.tar.gz
bugzilla-1741f7c98b480f25fa707011e00765353499dd8f.tar.xz
Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being in any given group
r=mkanat a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Search.pm7
1 files changed, 7 insertions, 0 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 7a6fe60f2..abd3fd53e 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
my ($value, $operator, $field, $chart_id, $joins) =
@$args{qw(value operator field chart_id joins)};
my $dbh = Bugzilla->dbh;
+ my $user = $self->_user;
$value =~ /\%group\.([^%]+)%/;
my $group = Bugzilla::Group->check($1);
$group->check_members_are_visible();
+ $user->in_group($group)
+ || ThrowUserError('invalid_group_name', {name => $group->name});
+
my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
my $table = "user_group_map_$chart_id";
my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
$value =~ m/%group\.([^%]+)%/;
my $group = Bugzilla::Group->check($1);
$group->check_members_are_visible();
+ $user->in_group($group)
+ || ThrowUserError('invalid_group_name', {name => $group->name});
+
my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);
# This is for the email1, email2, email3 fields from query.cgi.