diff options
author | jake%acutex.net <> | 2001-06-01 00:52:23 +0200 |
---|---|---|
committer | jake%acutex.net <> | 2001-06-01 00:52:23 +0200 |
commit | bc521effbd39f4e88e8de50dac650acd8a46705f (patch) | |
tree | 73f7f28f684e652f239c5bea7fdfe1c35a5b60a9 /CGI.pl | |
parent | 1a2221391b29920332d504dc3e80803a23e430d7 (diff) | |
download | bugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.gz bugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.xz |
Bugzilla was leaking information about bugs marked secure (using bug groups). This checkin fixes bugs 39524, 39527, 39531, and 39533.
Patches by Myk Melez <myk@mozilla.org>.
r= jake@acutex.net
Diffstat (limited to 'CGI.pl')
-rw-r--r-- | CGI.pl | 49 |
1 files changed, 49 insertions, 0 deletions
@@ -226,6 +226,55 @@ sub CheckFormFieldDefined (\%$) { } } +sub ValidateBugID { + # Validates and verifies a bug ID, making sure the number is a + # positive integer, that it represents an existing bug in the + # database, and that the user is authorized to access that bug. + + my ($id) = @_; + + # Make sure the bug number is a positive integer. + $id =~ /^([1-9][0-9]*)$/ + || DisplayError("The bug number is invalid.") + && exit; + + # Make sure the usergroupset variable is set. This variable stores + # the set of groups the user is a member of. This variable should + # be set by either confirm_login or quietly_check_login, but we set + # it here just in case one of those functions has not been run yet. + $::usergroupset ||= 0; + + # Query the database for the bug, retrieving a boolean value that + # represents whether or not the user is authorized to access the bug. + + # Users are authorized to access bugs if they are a member of all + # groups to which the bug is restricted. User group membership and + # bug restrictions are stored as bits within bitsets, so authorization + # can be determined by comparing the intersection of the user's + # bitset with the bug's bitset. If the result matches the bug's bitset + # the user is a member of all groups to which the bug is restricted + # and is authorized to access the bug. + + # Bit arithmetic is performed by MySQL instead of Perl because bitset + # fields in the database are 64 bits wide (BIGINT), and Perl installations + # may or may not support integers larger than 32 bits. Using bitsets + # and doing bitset arithmetic is probably not cross-database compatible, + # however, so these mechanisms are likely to change in the future. + SendSQL("SELECT ((groupset & $::usergroupset) = groupset) + FROM bugs WHERE bug_id = $id"); + + # Make sure the bug exists in the database. + MoreSQLData() + || DisplayError("Bug #$id does not exist.") + && exit; + + # Make sure the user is authorized to access the bug. + my ($isauthorized) = FetchSQLData(); + $isauthorized + || DisplayError("You are not authorized to access bug #$id.") + && exit; +} + # check and see if a given string actually represents a positive # integer, and abort if not. # |