From 528016e235194489877c73835ad5296f2180440d Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 13 Nov 2012 18:36:33 +0100
Subject: Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of
 groups when using User.get() r=dkl a=LpSolit

---
 Bugzilla/WebService/Constants.pm |  1 +
 Bugzilla/WebService/User.pm      | 26 ++++++++++++++++++++------
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 59aab9b55..6274c3a78 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -166,6 +166,7 @@ use constant WS_ERROR_CODE => {
     group_exists => 801,
     empty_group_description => 802,
     invalid_regexp => 803,
+    invalid_group_name => 804,
 
     # Errors thrown by the WebService itself. The ones that are negative 
     # conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index f8704a947..deb7518ec 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -233,12 +233,18 @@ sub _filter_users_by_group {
     # If no groups are specified, we return all users.
     return $users if (!$group_ids and !$group_names);
 
+    my $user = Bugzilla->user;
+
     my @groups = map { Bugzilla::Group->check({ id => $_ }) } 
                      @{ $group_ids || [] };
-    my @name_groups = map { Bugzilla::Group->check($_) } 
-                          @{ $group_names || [] };
-    push(@groups, @name_groups);
-    
+
+    if ($group_names) {
+        foreach my $name (@$group_names) {
+            my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' });
+            $user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name });
+            push(@groups, $group);
+        }
+    }
 
     my @in_group = grep { $self->_user_in_any_group($_, \@groups) }
                         @$users;
@@ -586,10 +592,10 @@ C<real_name>, C<email>, and C<can_login> items.
 
 =over
 
-=item 51 (Bad Login Name or Group Name)
+=item 51 (Bad Login Name or Group ID)
 
 You passed an invalid login name in the "names" array or a bad
-group name/id in the C<groups>/C<group_ids> arguments.
+group ID in the C<group_ids> argument.
 
 =item 304 (Authorization Required)
 
@@ -601,6 +607,11 @@ wanted to get information about by user id.
 Logged-out users cannot use the "ids" or "match" arguments to this 
 function.
 
+=item 804 (Invalid Group Name)
+
+You passed a group name in the C<groups> argument which either does not
+exist or you do not belong to it.
+
 =back
 
 =item B<History>
@@ -614,6 +625,9 @@ function.
 =item C<include_disabled> added in Bugzilla B<4.0>. Default behavior 
 for C<match> has changed to only returning enabled accounts.
 
+=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now
+illegal to pass a group name you don't belong to.
+
 =back
 
 =back
-- 
cgit v1.2.3-24-g4f1b