From e2c8da0dfc534ffca6232cc7d370299d5d446604 Mon Sep 17 00:00:00 2001
From: Simon Green <sgreen@redhat.com>
Date: Tue, 19 Feb 2013 18:11:40 +0100
Subject: Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the
 existence of products and components you cannot access r/a=LpSolit

---
 report.cgi | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'report.cgi')

diff --git a/report.cgi b/report.cgi
index 2949a18c3..5e51bd34a 100755
--- a/report.cgi
+++ b/report.cgi
@@ -258,7 +258,13 @@ $vars->{'width'} = $width;
 $vars->{'height'} = $height;
 $vars->{'queries'} = $extra_data;
 $vars->{'saved_report_id'} = $cgi->param('saved_report_id');
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}
 
 if ($action eq "wrap") {
     # So which template are we using? If action is "wrap", we will be using
-- 
cgit v1.2.3-24-g4f1b