From ce9c76ebbd1a699ce89cdead5f7ba427b62d9844 Mon Sep 17 00:00:00 2001
From: "jake%acutex.net" <>
Date: Thu, 7 Jun 2001 01:36:25 +0000
Subject: Users should only be able to view attachments if they can view the
 bug that the file is attached to (bug 70189) r=tara

---
 showattachment.cgi | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

(limited to 'showattachment.cgi')

diff --git a/showattachment.cgi b/showattachment.cgi
index 22cfa9087..ae81117e5 100755
--- a/showattachment.cgi
+++ b/showattachment.cgi
@@ -19,6 +19,7 @@
 # Rights Reserved.
 #
 # Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Jacob Steenhagen <jake@acutex.net>
 
 use diagnostics;
 use strict;
@@ -27,17 +28,24 @@ require "CGI.pl";
 
 ConnectToDatabase();
 
-my @row;
-if (defined $::FORM{'attach_id'}) {
-    SendSQL("select mimetype, thedata from attachments where attach_id =".SqlQuote($::FORM{'attach_id'}));
-    @row = FetchSQLData();
+quietly_check_login();
+
+if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
+    DisplayError("Attachment ID should be numeric.");
+    exit;
 }
-if (!@row) {
-    print "Content-type: text/html\n\n";
-    PutHeader("Bad ID");
-    print "Please hit back and try again.\n";
+
+SendSQL("select bug_id, mimetype, thedata from attachments where attach_id = $::FORM{'attach_id'}");
+my ($bug_id, $mimetype, $thedata) = FetchSQLData();
+
+if (!$bug_id) {
+    DisplayError("Attachment $::FORM{attach_id} does not exist.");
     exit;
 }
-print qq{Content-type: $row[0]\n\n$row[1]};
+
+# Make sure the user can see the bug to which this file is attached
+ValidateBugID($bug_id);
+
+print qq{Content-type: $mimetype\n\n$thedata};
 
     
-- 
cgit v1.2.3-24-g4f1b