From 1d125667d33ac6542562be663930d72eec8e03b7 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 17 Apr 2012 20:41:05 +0200
Subject: Bug 745320: Shared queries do not work when tags are part of the
 query r=dkl a=LpSolit

---
 buglist.cgi | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'buglist.cgi')

diff --git a/buglist.cgi b/buglist.cgi
index 7b513e607..ca51e6243 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -228,7 +228,9 @@ sub LookupNamedQuery {
     $query->url
        || ThrowUserError("buglist_parameters_required");
 
-    return wantarray ? ($query->url, $query->id) : $query->url;
+    # Detaint $sharer_id.
+    $sharer_id = $query->user->id if $sharer_id;
+    return wantarray ? ($query->url, $query->id, $sharer_id) : $query->url;
 }
 
 # Inserts a Named Query (a "Saved Search") into the database, or
@@ -347,6 +349,7 @@ sub _close_standby_message {
 
 my $cmdtype   = $cgi->param('cmdtype')   || '';
 my $remaction = $cgi->param('remaction') || '';
+my $sharer_id;
 
 # Backwards-compatibility - the old interface had cmdtype="runnamed" to run
 # a named command, and we can't break this because it's in bookmarks.
@@ -383,8 +386,9 @@ $filename =~ s/"/\\"/g; # escape quotes
 if ($cmdtype eq "dorem") {  
     if ($remaction eq "run") {
         my $query_id;
-        ($buffer, $query_id) = LookupNamedQuery(scalar $cgi->param("namedcmd"),
-                                                scalar $cgi->param('sharer_id'));
+        ($buffer, $query_id, $sharer_id) =
+          LookupNamedQuery(scalar $cgi->param("namedcmd"),
+                           scalar $cgi->param('sharer_id'));
         # If this is the user's own query, remember information about it
         # so that it can be modified easily.
         $vars->{'searchname'} = $cgi->param('namedcmd');
@@ -774,7 +778,8 @@ if ($format->{'extension'} eq 'html' && !defined $params->param('limit')) {
 # Generate the basic SQL query that will be used to generate the bug list.
 my $search = new Bugzilla::Search('fields' => \@selectcolumns, 
                                   'params' => scalar $params->Vars,
-                                  'order' => \@orderstrings);
+                                  'order'  => \@orderstrings,
+                                  'sharer' => $sharer_id);
 my $query = $search->sql;
 $vars->{'search_description'} = $search->search_description;
 
-- 
cgit v1.2.3-24-g4f1b


From af3e4c43b0ad6267669d2e987d6ae3acdde70253 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 18 Apr 2012 19:00:42 +0200
Subject: Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists
 permits attackers to access all bugs that the victim can see r=glob a=LpSolit

---
 buglist.cgi | 10 ----------
 1 file changed, 10 deletions(-)

(limited to 'buglist.cgi')

diff --git a/buglist.cgi b/buglist.cgi
index ca51e6243..d4ddfbd63 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -112,16 +112,6 @@ if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
     $cgi->param('ctype', "atom");
 }
 
-# The js ctype presents a security risk; a malicious site could use it  
-# to gather information about secure bugs. So, we only allow public bugs to be
-# retrieved with this format.
-#
-# Note that if and when this call clears cookies or has other persistent 
-# effects, we'll need to do this another way instead.
-if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
-    Bugzilla->logout_request();
-}
-
 # An agent is a program that automatically downloads and extracts data
 # on its user's behalf.  If this request comes from an agent, we turn off
 # various aspects of bug list functionality so agent requests succeed
-- 
cgit v1.2.3-24-g4f1b