From 86a7f0140f898cd77e5d3a2dcfd52722d2f65089 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Thu, 6 Aug 2015 12:21:33 +0800
Subject: Bug 1191565 - [Security] Able to delete any Bugzilla user's component
 watching

---
 extensions/ComponentWatching/Extension.pm                    |  7 ++++---
 .../en/default/hook/global/code-error-errors.html.tmpl       | 12 ++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 extensions/ComponentWatching/template/en/default/hook/global/code-error-errors.html.tmpl

(limited to 'extensions')

diff --git a/extensions/ComponentWatching/Extension.pm b/extensions/ComponentWatching/Extension.pm
index 318de5e1a..a56b46249 100644
--- a/extensions/ComponentWatching/Extension.pm
+++ b/extensions/ComponentWatching/Extension.pm
@@ -14,7 +14,7 @@ use Bugzilla::Error;
 use Bugzilla::Group;
 use Bugzilla::User;
 use Bugzilla::User::Setting;
-use Bugzilla::Util qw(trim trick_taint);
+use Bugzilla::Util qw(detaint_natural trim trick_taint);
 
 our $VERSION = '2';
 
@@ -611,8 +611,9 @@ sub _deleteWatch {
     my ($user, $id) = @_;
     my $dbh = Bugzilla->dbh;
 
-    trick_taint($id);
-    $dbh->do("DELETE FROM component_watch WHERE id=?", undef, $id);
+    detaint_natural($id) || ThrowCodeError("component_watch_invalid_id");
+    $dbh->do("DELETE FROM component_watch WHERE id=? AND user_id=?",
+             undef, $id, $user->id);
 }
 
 sub _addDefaultSettings {
diff --git a/extensions/ComponentWatching/template/en/default/hook/global/code-error-errors.html.tmpl b/extensions/ComponentWatching/template/en/default/hook/global/code-error-errors.html.tmpl
new file mode 100644
index 000000000..04640afef
--- /dev/null
+++ b/extensions/ComponentWatching/template/en/default/hook/global/code-error-errors.html.tmpl
@@ -0,0 +1,12 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[% IF error == "component_watch_invalid_id" %]
+   [% title = "Invalid Component Watch ID" %]
+   The component watch id provided is invalid.
+[% END %]
-- 
cgit v1.2.3-24-g4f1b