diff options
| author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-06-24 19:06:25 +0200 |
|---|---|---|
| committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-06-24 19:06:25 +0200 |
| commit | 14944e84b4dd1eeb9cbd48962f3cde2d7b15c630 (patch) | |
| tree | 8f28a863d6f9dd71d4901c8404d95ba5668dd32b /Bugzilla | |
| parent | 92f35343a344dca4ff3c2998d999a0d23d943fcf (diff) | |
| download | bugzilla-14944e84b4dd1eeb9cbd48962f3cde2d7b15c630.tar.gz bugzilla-14944e84b4dd1eeb9cbd48962f3cde2d7b15c630.tar.xz | |
Bug 309952: (CVE-2010-1204) [SECURITY] Make boolean chart searches with time
tracking fields no longer work for everybody
r=LpSolit, a=mkanat
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Search.pm | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index a764babe4..24adf0094 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -870,6 +870,12 @@ sub init { my %chartfields = @{$dbh->selectcol_arrayref( q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })}; + if (!$user->is_timetracker) { + foreach my $tt_field (TIMETRACKING_FIELDS) { + delete $chartfields{$tt_field}; + } + } + my ($sequence, $chartid); $row = 0; for ($chart=-1 ; |