summaryrefslogtreecommitdiffstats
path: root/reports.cgi
diff options
context:
space:
mode:
authormkanat%kerio.com <>2005-05-12 11:07:09 +0200
committermkanat%kerio.com <>2005-05-12 11:07:09 +0200
commite2252835e8e96371d6536af5dbd72a79e6ed05b5 (patch)
treec76c89f4a2fc3e7c0e9172efd988d8d49c0c4e5f /reports.cgi
parent8f2bc1b07ce4150a878e80f5bce09e819cbfd414 (diff)
downloadbugzilla-e2252835e8e96371d6536af5dbd72a79e6ed05b5.tar.gz
bugzilla-e2252835e8e96371d6536af5dbd72a79e6ed05b5.tar.xz
Bug 287109: [SECURITY] Names of private products/components can be exposed on certain CGIs
Patch By Frederic Buclin <LpSolit@gmail.com> r=myk, r=joel, a=justdave
Diffstat (limited to 'reports.cgi')
-rwxr-xr-xreports.cgi4
1 files changed, 1 insertions, 3 deletions
diff --git a/reports.cgi b/reports.cgi
index a3e2c740e..c5314b33e 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -85,9 +85,7 @@ if (! defined $cgi->param('product')) {
# We don't want people to be able to view
# reports for products they don't have permissions for...
- if (($product ne '-All-') && (!CanEnterProduct($product))) {
- ThrowUserError("report_access_denied");
- }
+ if ($product ne '-All-') { CanEnterProductOrWarn($product) }
# We've checked that the product exists, and that the user can see it
# This means that is OK to detaint