summaryrefslogtreecommitdiffstats
path: root/request.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-10-15 06:04:55 +0200
committerlpsolit%gmail.com <>2006-10-15 06:04:55 +0200
commit79b572263ea0dfcc1638757057825c3e6a2ee38d (patch)
tree2d373b78667d1af5e6ba588f28143229dbb2da77 /request.cgi
parentb0ddda44bee03e94f04368dd68e8c0784de4a945 (diff)
downloadbugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz
bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'request.cgi')
-rwxr-xr-xrequest.cgi17
1 files changed, 8 insertions, 9 deletions
diff --git a/request.cgi b/request.cgi
index 4b2adb6b5..8d514347a 100755
--- a/request.cgi
+++ b/request.cgi
@@ -78,13 +78,6 @@ sub queue {
my $status = validateStatus($cgi->param('status'));
my $form_group = validateGroup($cgi->param('group'));
- my $attach_join_clause = "flags.attach_id = attachments.attach_id";
- if (Bugzilla->params->{"insidergroup"}
- && !Bugzilla->user->in_group(Bugzilla->params->{"insidergroup"}))
- {
- $attach_join_clause .= " AND attachments.isprivate < 1";
- }
-
my $query =
# Select columns describing each flag, the bug/attachment on which
# it has been set, who set it, and of whom they are requesting it.
@@ -105,7 +98,7 @@ sub queue {
"
FROM flags
LEFT JOIN attachments
- ON ($attach_join_clause)
+ ON flags.attach_id = attachments.attach_id
INNER JOIN flagtypes
ON flags.type_id = flagtypes.id
INNER JOIN profiles AS requesters
@@ -134,7 +127,13 @@ sub queue {
(bugs.assigned_to = $userid) " .
(Bugzilla->params->{'useqacontact'} ? "OR
(bugs.qa_contact = $userid))" : ")");
-
+
+ unless ($user->is_insider) {
+ $query .= " AND (attachments.attach_id IS NULL
+ OR attachments.isprivate = 0
+ OR attachments.submitter_id = $userid)";
+ }
+
# Limit query to pending requests.
$query .= " AND flags.status = '?' " unless $status;