diff options
author | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
commit | 79b572263ea0dfcc1638757057825c3e6a2ee38d (patch) | |
tree | 2d373b78667d1af5e6ba588f28143229dbb2da77 /request.cgi | |
parent | b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff) | |
download | bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz |
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'request.cgi')
-rwxr-xr-x | request.cgi | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/request.cgi b/request.cgi index 4b2adb6b5..8d514347a 100755 --- a/request.cgi +++ b/request.cgi @@ -78,13 +78,6 @@ sub queue { my $status = validateStatus($cgi->param('status')); my $form_group = validateGroup($cgi->param('group')); - my $attach_join_clause = "flags.attach_id = attachments.attach_id"; - if (Bugzilla->params->{"insidergroup"} - && !Bugzilla->user->in_group(Bugzilla->params->{"insidergroup"})) - { - $attach_join_clause .= " AND attachments.isprivate < 1"; - } - my $query = # Select columns describing each flag, the bug/attachment on which # it has been set, who set it, and of whom they are requesting it. @@ -105,7 +98,7 @@ sub queue { " FROM flags LEFT JOIN attachments - ON ($attach_join_clause) + ON flags.attach_id = attachments.attach_id INNER JOIN flagtypes ON flags.type_id = flagtypes.id INNER JOIN profiles AS requesters @@ -134,7 +127,13 @@ sub queue { (bugs.assigned_to = $userid) " . (Bugzilla->params->{'useqacontact'} ? "OR (bugs.qa_contact = $userid))" : ")"); - + + unless ($user->is_insider) { + $query .= " AND (attachments.attach_id IS NULL + OR attachments.isprivate = 0 + OR attachments.submitter_id = $userid)"; + } + # Limit query to pending requests. $query .= " AND flags.status = '?' " unless $status; |