diff options
| author | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2006-10-15 06:04:55 +0200 |
| commit | 79b572263ea0dfcc1638757057825c3e6a2ee38d (patch) | |
| tree | 2d373b78667d1af5e6ba588f28143229dbb2da77 /template | |
| parent | b0ddda44bee03e94f04368dd68e8c0784de4a945 (diff) | |
| download | bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.gz bugzilla-79b572263ea0dfcc1638757057825c3e6a2ee38d.tar.xz | |
Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of private attachments even when you are not in the insidergroup - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
Diffstat (limited to 'template')
| -rw-r--r-- | template/en/default/attachment/list.html.tmpl | 3 | ||||
| -rw-r--r-- | template/en/default/attachment/show-multiple.html.tmpl | 12 | ||||
| -rw-r--r-- | template/en/default/filterexceptions.pl | 2 |
3 files changed, 8 insertions, 9 deletions
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index adb927e1a..a0445b16a 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -32,11 +32,10 @@ [% END %] <th bgcolor="#cccccc" align="left">Actions</th> </tr> - [% canseeprivate = !Param("insidergroup") || user.in_group(Param("insidergroup")) %] [% count = 0 %] [% FOREACH attachment = attachments %] [% count = count + 1 %] - [% IF !attachment.isprivate || canseeprivate %] + [% IF !attachment.isprivate || user.is_insider || attachment.attacher.id == user.id %] <tr [% "class=\"bz_private\"" IF attachment.isprivate %]> <td valign="top"> <a name="a[% count %]" href="attachment.cgi?id=[% attachment.id %]">[% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %]</a> diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index ca2690c6e..ad0dfbafd 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -41,7 +41,7 @@ <table class="attachment_info" cellspacing="0" cellpadding="4" border="1" width="75%"> <tr> <td valign="top" bgcolor="#cccccc" colspan="6"> - <big><b>Attachment #[% a.attachid %]</b></big> + <big><b>Attachment #[% a.id %]</b></big> </td> </tr> <tr> @@ -57,7 +57,7 @@ [% END %] </td> - <td valign="top">[% a.date FILTER time %]</td> + <td valign="top">[% a.attached FILTER time %]</td> <td valign="top">[% a.datasize FILTER unitconvert %]</td> <td valign="top"> @@ -76,20 +76,20 @@ </td> <td valign="top"> - <a href="attachment.cgi?id=[% a.attachid %]&action=edit">Details</a> + <a href="attachment.cgi?id=[% a.id %]&action=edit">Details</a> </td> </tr> </table> [% IF a.isviewable %] - <iframe src="attachment.cgi?id=[% a.attachid %]" width="75%" height="350"> + <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350"> <b>You cannot view the attachment on this page because your browser does not support IFRAMEs. - <a href="attachment.cgi?id=[% a.attachid %]">View the attachment on a separate page</a>.</b> + <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b> </iframe> [% ELSE %] <p><b> Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. - <a href="attachment.cgi?id=[% a.attachid %]">Download the attachment instead</a>. + <a href="attachment.cgi?id=[% a.id %]">Download the attachment instead</a>. </b></p> [% END %] </div> diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index e80c758cd..d9a3e1913 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -436,7 +436,7 @@ ], 'attachment/show-multiple.html.tmpl' => [ - 'a.attachid', + 'a.id', 'flag.status' ], |