summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authormkanat%bugzilla.org <>2009-11-19 03:09:45 +0100
committermkanat%bugzilla.org <>2009-11-19 03:09:45 +0100
commit26b0e4cffe829d9c436ae28de218788c0534ee29 (patch)
treec73ae55e801f5d23e519e7eb36eb8a15e189ad02 /Bugzilla
parentc0c052e34345a0a3cc2be95b9881bf91005da69a (diff)
downloadbugzilla-26b0e4cffe829d9c436ae28de218788c0534ee29.tar.gz
bugzilla-26b0e4cffe829d9c436ae28de218788c0534ee29.tar.xz
Bug 529416: (CVE-2009-3386) [SECURITY] Dependency lists display bug aliases even for bugs the user cannot access
Patch by Dave Miller <justdave@bugzilla.org> r=LpSolit, r=mkanat, a=mkanat
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Template.pm7
1 files changed, 3 insertions, 4 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index ba0a035bb..17429a2e2 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -348,10 +348,6 @@ sub get_bug_link {
$bug = blessed($bug) ? $bug : new Bugzilla::Bug($bug);
return $link_text if $bug->{error};
- if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug->alias) {
- $link_text = $bug->alias;
- }
-
# Initialize these variables to be "" so that we don't get warnings
# if we don't change them below (which is highly likely).
my ($pre, $title, $post) = ("", "", "");
@@ -369,6 +365,9 @@ sub get_bug_link {
}
if (Bugzilla->user->can_see_bug($bug)) {
$title .= " - " . $bug->short_desc;
+ if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug->alias) {
+ $link_text = $bug->alias;
+ }
}
# Prevent code injection in the title.
$title = html_quote(clean_text($title));