diff options
| author | mkanat%kerio.com <> | 2005-07-08 14:29:14 +0200 |
|---|---|---|
| committer | mkanat%kerio.com <> | 2005-07-08 14:29:14 +0200 |
| commit | 0d7a4fbf959a1c522350786e83df580476bf5642 (patch) | |
| tree | bdc9db68814ef7e0ff8a30a43d34f541b9c4c547 /attachment.cgi | |
| parent | 4f5fe2cd8ca790ff083d5f5a9903b13afc75cb9a (diff) | |
| download | bugzilla-0d7a4fbf959a1c522350786e83df580476bf5642.tar.gz bugzilla-0d7a4fbf959a1c522350786e83df580476bf5642.tar.xz | |
Bug 293159: [SECURITY] Anyone can change flags and access bug summaries due to a bad check in Flag::validate() and Flag::modify()
Patch By Frederic Buclin <LpSolit@gmail.com> r=myk, a=justdave
Diffstat (limited to 'attachment.cgi')
| -rwxr-xr-x | attachment.cgi | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/attachment.cgi b/attachment.cgi index 0c010a061..e4cbe8eed 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -913,8 +913,11 @@ sub insert $vars->{'message'} = 'user_match_multiple'; } - Bugzilla::Flag::validate($cgi, $bugid); - Bugzilla::FlagType::validate($cgi, $bugid, $cgi->param('id')); + # Flag::validate() should not detect any reference to existing + # flags when creating a new attachment. Setting the third param + # to -1 will force this function to check this point. + Bugzilla::Flag::validate($cgi, $bugid, -1); + Bugzilla::FlagType::validate($cgi, $bugid); # Escape characters in strings that will be used in SQL statements. my $sql_filename = SqlQuote($filename); @@ -1148,7 +1151,7 @@ sub update Bugzilla::User::match_field($cgi, { '^requestee(_type)?-(\d+)$' => { 'type' => 'single' } }); - Bugzilla::Flag::validate($cgi, $bugid); + Bugzilla::Flag::validate($cgi, $bugid, $attach_id); Bugzilla::FlagType::validate($cgi, $bugid, $attach_id); # Lock database tables in preparation for updating the attachment. |