Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being in any given group

r=mkanat a=LpSolit

1 files changed, 7 insertions, 0 deletions

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 7a6fe60f2..abd3fd53e 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
     my ($value, $operator, $field, $chart_id, $joins) =
         @$args{qw(value operator field chart_id joins)};
     my $dbh = Bugzilla->dbh;
+    my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
     my $table = "user_group_map_$chart_id";
     my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
     $value =~ m/%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);
 
     # This is for the email1, email2, email3 fields from query.cgi.