diff options
author | jake%acutex.net <> | 2001-06-01 00:52:23 +0200 |
---|---|---|
committer | jake%acutex.net <> | 2001-06-01 00:52:23 +0200 |
commit | bc521effbd39f4e88e8de50dac650acd8a46705f (patch) | |
tree | 73f7f28f684e652f239c5bea7fdfe1c35a5b60a9 /showvotes.cgi | |
parent | 1a2221391b29920332d504dc3e80803a23e430d7 (diff) | |
download | bugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.gz bugzilla-bc521effbd39f4e88e8de50dac650acd8a46705f.tar.xz |
Bugzilla was leaking information about bugs marked secure (using bug groups). This checkin fixes bugs 39524, 39527, 39531, and 39533.
Patches by Myk Melez <myk@mozilla.org>.
r= jake@acutex.net
Diffstat (limited to 'showvotes.cgi')
-rwxr-xr-x | showvotes.cgi | 61 |
1 files changed, 31 insertions, 30 deletions
diff --git a/showvotes.cgi b/showvotes.cgi index 575156786..bb87848f0 100755 --- a/showvotes.cgi +++ b/showvotes.cgi @@ -28,50 +28,51 @@ require "CGI.pl"; ConnectToDatabase(); +if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} && + !defined $::FORM{'user'})) { + confirm_login(); + $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}); +} else { + # Check whether or not the user is currently logged in without throwing + # an error if the user is not logged in. This function sets the value + # of $::usergroupset, the binary number that records the set of groups + # to which the user belongs and which gets used in ValidateBugID below + # to determine whether or not the user is authorized to access the bug + # whose votes are being shown or which is being voted on. + quietly_check_login(); +} + ################################################################################ -# START Form Data Validation +# Begin Data/Security Validation ################################################################################ -# For security and correctness, validate the value of the "voteon" form variable. -# Valid values are those containing a number that is the ID of an existing bug. -if (defined $::FORM{'voteon'}) { - $::FORM{'voteon'} =~ /^(\d+)$/; - $::FORM{'voteon'} = $1 || 0; - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'voteon'}"); - FetchSQLData() - || DisplayError("You entered an invalid bug number to vote on.") && exit; +# Make sure the bug ID is a positive integer representing an existing +# bug that the user is authorized to access. +if (defined $::FORM{'bug_id'}) { + ValidateBugID($::FORM{'bug_id'}); } -# For security and correctness, validate the value of the "bug_id" form variable. -# Valid values are those containing a number that is the ID of an existing bug. -if (defined $::FORM{'bug_id'}) { - $::FORM{'bug_id'} =~ /^(\d+)$/; - $::FORM{'bug_id'} = $1 || 0; - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'bug_id'}"); - FetchSQLData() - || DisplayError("You entered an invalid bug number.") && exit; +# Make sure the bug ID being voted on is a positive integer representing +# an existing bug that the user is authorized to access. +if (defined $::FORM{'voteon'}) { + ValidateBugID($::FORM{'voteon'}); } -# For security and correctness, validate the value of the "userid" form variable. -# Valid values are those containing a number that is the ID of an existing user. +# Make sure the user ID is a positive integer representing an existing user. if (defined $::FORM{'user'}) { - $::FORM{'user'} =~ /^(\d+)$/; - $::FORM{'user'} = $1 || 0; - SendSQL("SELECT userid FROM profiles WHERE userid = $::FORM{'user'}"); + $::FORM{'user'} =~ /^([1-9][0-9]*)$/ + || DisplayError("The user number is invalid.") + && exit; + SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}"); FetchSQLData() - || DisplayError("You specified an invalid user number.") && exit; + || DisplayError("User #$::FORM{'user'} does not exist.") + && exit; } ################################################################################ -# END Form Data Validation +# End Data/Security Validation ################################################################################ -if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} && - !defined $::FORM{'user'})) { - confirm_login(); - $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}); -} - print "Content-type: text/html\n\n"; if (defined $::FORM{'bug_id'}) { |