From af8e935a3e793538b21e5a952e0963e7b9af044e Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 4 Aug 2011 22:53:52 +0200
Subject: Bug 674497: (CVE-2011-2979) [SECURITY] Custom searches let you
 determine if a group exists or not r=glob a=LpSolit

---
 Bugzilla/Search.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 16e72b296..a5c3e032d 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2007,7 +2007,7 @@ sub _contact_exact_group {
     my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
-    my $group = Bugzilla::Group->check($1);
+    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });
     $group->check_members_are_visible();
     $user->in_group($group)
       || ThrowUserError('invalid_group_name', {name => $group->name});
@@ -2054,7 +2054,7 @@ sub _cc_exact_group {
     my $dbh = Bugzilla->dbh;
     
     $value =~ m/%group\.([^%]+)%/;
-    my $group = Bugzilla::Group->check($1);
+    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });
     $group->check_members_are_visible();
     $user->in_group($group)
       || ThrowUserError('invalid_group_name', {name => $group->name});
-- 
cgit v1.2.3-24-g4f1b