From af8e935a3e793538b21e5a952e0963e7b9af044e Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 4 Aug 2011 22:53:52 +0200 Subject: Bug 674497: (CVE-2011-2979) [SECURITY] Custom searches let you determine if a group exists or not r=glob a=LpSolit --- Bugzilla/Search.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 16e72b296..a5c3e032d 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -2007,7 +2007,7 @@ sub _contact_exact_group { my $user = $self->_user; $value =~ /\%group\.([^%]+)%/; - my $group = Bugzilla::Group->check($1); + my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' }); $group->check_members_are_visible(); $user->in_group($group) || ThrowUserError('invalid_group_name', {name => $group->name}); @@ -2054,7 +2054,7 @@ sub _cc_exact_group { my $dbh = Bugzilla->dbh; $value =~ m/%group\.([^%]+)%/; - my $group = Bugzilla::Group->check($1); + my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' }); $group->check_members_are_visible(); $user->in_group($group) || ThrowUserError('invalid_group_name', {name => $group->name}); -- cgit v1.2.3-24-g4f1b