Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access

r/a=LpSolit
author: Simon Green <sgreen@redhat.com> 2013-02-19 18:14:59 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2013-02-19 18:14:59 +0100
commit: 0bd4c361b4a5fe0e0773e77571a84234b8f91f76 (patch)
tree: 4cd125aa182bc215c61dca04f06054a0786e7fa5 /buglist.cgi
parent: 7e4fb28341abfe2a5c31645e20c5804229e8eaea (diff)
download: bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.gz
bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/buglist.cgi b/buglist.cgi
index 7439b78ee..b5604d2bd 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -786,7 +786,10 @@ $params->delete('limit') if $vars->{'default_limited'};
 # Query Execution
 ################################################################################
 
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && $user->in_group(Bugzilla->params->{debug_group})
+) {
     $vars->{'debug'} = 1;
     $vars->{'query'} = $query;
     # Explains are limited to admins because you could use them to figure
author	Simon Green <sgreen@redhat.com>	2013-02-19 18:14:59 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2013-02-19 18:14:59 +0100
commit	0bd4c361b4a5fe0e0773e77571a84234b8f91f76 (patch)
tree	4cd125aa182bc215c61dca04f06054a0786e7fa5 /buglist.cgi
parent	7e4fb28341abfe2a5c31645e20c5804229e8eaea (diff)
download	bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.gz bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.xz