summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorjustdave%bugzilla.org <>2004-10-25 16:36:13 +0200
committerjustdave%bugzilla.org <>2004-10-25 16:36:13 +0200
commitf4c3d847c1aefc68438494792dee140c01428aa1 (patch)
treecc8b52f8647c3f28dc8b77a699494e8c37b775d2 /Bugzilla
parent22628e0ab83b78056beed1663af9bf14071a97fc (diff)
downloadbugzilla-f4c3d847c1aefc68438494792dee140c01428aa1.tar.gz
bugzilla-f4c3d847c1aefc68438494792dee140c01428aa1.tar.xz
[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when receiving bug change notification mails. This only affects sites that use the 'insidergroup' feature.
Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko,justdave, a=justdave
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/BugMail.pm10
1 files changed, 10 insertions, 0 deletions
diff --git a/Bugzilla/BugMail.pm b/Bugzilla/BugMail.pm
index 2526ffada..22f97d365 100644
--- a/Bugzilla/BugMail.pm
+++ b/Bugzilla/BugMail.pm
@@ -238,6 +238,11 @@ sub ProcessOneBug($) {
$old = FormatTimeUnit($old);
$new = FormatTimeUnit($new);
}
+ if ($attachid) {
+ SendSQL("SELECT isprivate FROM attachments
+ WHERE attach_id = $attachid");
+ $diffpart->{'isprivate'} = FetchOneColumn();
+ }
$difftext = FormatTriple($what, $old, $new);
$diffpart->{'header'} = $diffheader;
$diffpart->{'fieldname'} = $fieldname;
@@ -772,6 +777,11 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
if ($user->groups->{Param("timetrackinggroup")}) {
$add_diff = 1;
}
+ } elsif (($diff->{'isprivate'})
+ && Param('insidergroup')
+ && !($user->groups->{Param('insidergroup')})
+ ) {
+ $add_diff = 0;
} else {
$add_diff = 1;
}