summaryrefslogtreecommitdiffstats
path: root/template/en
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-10-15 06:04:55 +0200
committerlpsolit%gmail.com <>2006-10-15 06:04:55 +0200
commit79b572263ea0dfcc1638757057825c3e6a2ee38d (patch)
tree2d373b78667d1af5e6ba588f28143229dbb2da77 /template/en
parentb0ddda44bee03e94f04368dd68e8c0784de4a945 (diff)
downloadbugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz
bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'template/en')
-rw-r--r--template/en/default/attachment/list.html.tmpl3
-rw-r--r--template/en/default/attachment/show-multiple.html.tmpl12
-rw-r--r--template/en/default/filterexceptions.pl2
3 files changed, 8 insertions, 9 deletions
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index adb927e1a..a0445b16a 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -32,11 +32,10 @@
[% END %]
<th bgcolor="#cccccc" align="left">Actions</th>
</tr>
- [% canseeprivate = !Param("insidergroup") || user.in_group(Param("insidergroup")) %]
[% count = 0 %]
[% FOREACH attachment = attachments %]
[% count = count + 1 %]
- [% IF !attachment.isprivate || canseeprivate %]
+ [% IF !attachment.isprivate || user.is_insider || attachment.attacher.id == user.id %]
<tr [% "class=\"bz_private\"" IF attachment.isprivate %]>
<td valign="top">
<a name="a[% count %]" href="attachment.cgi?id=[% attachment.id %]">[% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %]</a>
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index ca2690c6e..ad0dfbafd 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -41,7 +41,7 @@
<table class="attachment_info" cellspacing="0" cellpadding="4" border="1" width="75%">
<tr>
<td valign="top" bgcolor="#cccccc" colspan="6">
- <big><b>Attachment #[% a.attachid %]</b></big>
+ <big><b>Attachment #[% a.id %]</b></big>
</td>
</tr>
<tr>
@@ -57,7 +57,7 @@
[% END %]
</td>
- <td valign="top">[% a.date FILTER time %]</td>
+ <td valign="top">[% a.attached FILTER time %]</td>
<td valign="top">[% a.datasize FILTER unitconvert %]</td>
<td valign="top">
@@ -76,20 +76,20 @@
</td>
<td valign="top">
- <a href="attachment.cgi?id=[% a.attachid %]&amp;action=edit">Details</a>
+ <a href="attachment.cgi?id=[% a.id %]&amp;action=edit">Details</a>
</td>
</tr>
</table>
[% IF a.isviewable %]
- <iframe src="attachment.cgi?id=[% a.attachid %]" width="75%" height="350">
+ <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
- <a href="attachment.cgi?id=[% a.attachid %]">View the attachment on a separate page</a>.</b>
+ <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
</iframe>
[% ELSE %]
<p><b>
Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.
- <a href="attachment.cgi?id=[% a.attachid %]">Download the attachment instead</a>.
+ <a href="attachment.cgi?id=[% a.id %]">Download the attachment instead</a>.
</b></p>
[% END %]
</div>
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index e80c758cd..d9a3e1913 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -436,7 +436,7 @@
],
'attachment/show-multiple.html.tmpl' => [
- 'a.attachid',
+ 'a.id',
'flag.status'
],