From 1741f7c98b480f25fa707011e00765353499dd8f Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 4 Aug 2010 23:25:07 +0200
Subject: Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query
 for users being in any given group r=mkanat a=LpSolit

---
 Bugzilla/Search.pm | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'Bugzilla/Search.pm')

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 7a6fe60f2..abd3fd53e 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
     my ($value, $operator, $field, $chart_id, $joins) =
         @$args{qw(value operator field chart_id joins)};
     my $dbh = Bugzilla->dbh;
+    my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
     my $table = "user_group_map_$chart_id";
     my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
     $value =~ m/%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);
 
     # This is for the email1, email2, email3 fields from query.cgi.
-- 
cgit v1.2.3-24-g4f1b