From fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d Mon Sep 17 00:00:00 2001 From: Simon Green Date: Mon, 6 Oct 2014 14:49:38 +0000 Subject: Bug 1064140: [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group r=glob,a=glob --- Bugzilla/Flag.pm | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) (limited to 'Bugzilla/Flag.pm') diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index 772a39325..50474b885 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -1124,18 +1124,32 @@ sub notify { $default_lang = Bugzilla::User->new()->setting('lang'); } + # Get comments on the bug + my $all_comments = $bug->comments({ after => $bug->lastdiffed }); + @$all_comments = grep { $_->type || $_->body =~ /\S/ } @$all_comments; + + # Get public only comments + my $public_comments = [ grep { !$_->is_private } @$all_comments ]; + foreach my $to (keys %recipients) { # Add threadingmarker to allow flag notification emails to be the # threaded similar to normal bug change emails. my $thread_user_id = $recipients{$to} ? $recipients{$to}->id : 0; - my $vars = { 'flag' => $flag, - 'old_flag' => $old_flag, - 'to' => $to, - 'date' => $timestamp, - 'bug' => $bug, - 'attachment' => $attachment, - 'threadingmarker' => build_thread_marker($bug->id, $thread_user_id) }; + # We only want to show private comments to users in the is_insider group + my $comments = $recipients{$to} && $recipients{$to}->is_insider + ? $all_comments : $public_comments; + + my $vars = { + flag => $flag, + old_flag => $old_flag, + to => $to, + date => $timestamp, + bug => $bug, + attachment => $attachment, + threadingmarker => build_thread_marker($bug->id, $thread_user_id), + new_comments => $comments, + }; my $lang = $recipients{$to} ? $recipients{$to}->setting('lang') : $default_lang; -- cgit v1.2.3-24-g4f1b