diff options
author | Simon Green <sgreen@redhat.com> | 2013-02-19 18:14:59 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:14:59 +0100 |
commit | 0bd4c361b4a5fe0e0773e77571a84234b8f91f76 (patch) | |
tree | 4cd125aa182bc215c61dca04f06054a0786e7fa5 /buglist.cgi | |
parent | 7e4fb28341abfe2a5c31645e20c5804229e8eaea (diff) | |
download | bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.gz bugzilla-0bd4c361b4a5fe0e0773e77571a84234b8f91f76.tar.xz |
Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
r/a=LpSolit
Diffstat (limited to 'buglist.cgi')
-rwxr-xr-x | buglist.cgi | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/buglist.cgi b/buglist.cgi index 7439b78ee..b5604d2bd 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -786,7 +786,10 @@ $params->delete('limit') if $vars->{'default_limited'}; # Query Execution ################################################################################ -if ($cgi->param('debug')) { +if ($cgi->param('debug') + && Bugzilla->params->{debug_group} + && $user->in_group(Bugzilla->params->{debug_group}) +) { $vars->{'debug'} = 1; $vars->{'query'} = $query; # Explains are limited to admins because you could use them to figure |