summaryrefslogtreecommitdiffstats
path: root/showvotes.cgi
diff options
context:
space:
mode:
authorjake%acutex.net <>2001-06-01 00:52:23 +0200
committerjake%acutex.net <>2001-06-01 00:52:23 +0200
commitbc521effbd39f4e88e8de50dac650acd8a46705f (patch)
tree73f7f28f684e652f239c5bea7fdfe1c35a5b60a9 /showvotes.cgi
parent1a2221391b29920332d504dc3e80803a23e430d7 (diff)
downloadbugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.gz
bugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.xz
Bugzilla was leaking information about bugs marked secure (using bug groups). This checkin fixes bugs 39524, 39527, 39531, and 39533.
Patches by Myk Melez <myk@mozilla.org>. r= jake@acutex.net
Diffstat (limited to 'showvotes.cgi')
-rwxr-xr-xshowvotes.cgi61
1 files changed, 31 insertions, 30 deletions
diff --git a/showvotes.cgi b/showvotes.cgi
index 575156786..bb87848f0 100755
--- a/showvotes.cgi
+++ b/showvotes.cgi
@@ -28,50 +28,51 @@ require "CGI.pl";
ConnectToDatabase();
+if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} &&
+ !defined $::FORM{'user'})) {
+ confirm_login();
+ $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'});
+} else {
+ # Check whether or not the user is currently logged in without throwing
+ # an error if the user is not logged in. This function sets the value
+ # of $::usergroupset, the binary number that records the set of groups
+ # to which the user belongs and which gets used in ValidateBugID below
+ # to determine whether or not the user is authorized to access the bug
+ # whose votes are being shown or which is being voted on.
+ quietly_check_login();
+}
+
################################################################################
-# START Form Data Validation
+# Begin Data/Security Validation
################################################################################
-# For security and correctness, validate the value of the "voteon" form variable.
-# Valid values are those containing a number that is the ID of an existing bug.
-if (defined $::FORM{'voteon'}) {
- $::FORM{'voteon'} =~ /^(\d+)$/;
- $::FORM{'voteon'} = $1 || 0;
- SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'voteon'}");
- FetchSQLData()
- || DisplayError("You entered an invalid bug number to vote on.") && exit;
+# Make sure the bug ID is a positive integer representing an existing
+# bug that the user is authorized to access.
+if (defined $::FORM{'bug_id'}) {
+ ValidateBugID($::FORM{'bug_id'});
}
-# For security and correctness, validate the value of the "bug_id" form variable.
-# Valid values are those containing a number that is the ID of an existing bug.
-if (defined $::FORM{'bug_id'}) {
- $::FORM{'bug_id'} =~ /^(\d+)$/;
- $::FORM{'bug_id'} = $1 || 0;
- SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'bug_id'}");
- FetchSQLData()
- || DisplayError("You entered an invalid bug number.") && exit;
+# Make sure the bug ID being voted on is a positive integer representing
+# an existing bug that the user is authorized to access.
+if (defined $::FORM{'voteon'}) {
+ ValidateBugID($::FORM{'voteon'});
}
-# For security and correctness, validate the value of the "userid" form variable.
-# Valid values are those containing a number that is the ID of an existing user.
+# Make sure the user ID is a positive integer representing an existing user.
if (defined $::FORM{'user'}) {
- $::FORM{'user'} =~ /^(\d+)$/;
- $::FORM{'user'} = $1 || 0;
- SendSQL("SELECT userid FROM profiles WHERE userid = $::FORM{'user'}");
+ $::FORM{'user'} =~ /^([1-9][0-9]*)$/
+ || DisplayError("The user number is invalid.")
+ && exit;
+ SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}");
FetchSQLData()
- || DisplayError("You specified an invalid user number.") && exit;
+ || DisplayError("User #$::FORM{'user'} does not exist.")
+ && exit;
}
################################################################################
-# END Form Data Validation
+# End Data/Security Validation
################################################################################
-if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} &&
- !defined $::FORM{'user'})) {
- confirm_login();
- $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'});
-}
-
print "Content-type: text/html\n\n";
if (defined $::FORM{'bug_id'}) {