From bc521effbd39f4e88e8de50dac650acd8a46705f Mon Sep 17 00:00:00 2001
From: "jake%acutex.net" <>
Date: Thu, 31 May 2001 22:52:23 +0000
Subject: Bugzilla was leaking information about bugs marked secure (using bug
 groups). This checkin fixes  bugs 39524, 39527, 39531, and 39533. Patches by
 Myk Melez <myk@mozilla.org>. r= jake@acutex.net

---
 showdependencytree.cgi | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

(limited to 'showdependencytree.cgi')

diff --git a/showdependencytree.cgi b/showdependencytree.cgi
index 74e2778bc..bab36da61 100755
--- a/showdependencytree.cgi
+++ b/showdependencytree.cgi
@@ -29,6 +29,23 @@ require "CGI.pl";
 
 use vars %::FORM;
 
+ConnectToDatabase();
+
+quietly_check_login();
+
+$::usergroupset = $::usergroupset; # More warning suppression silliness.
+
+######################################################################
+# Begin Data/Security Validation
+######################################################################
+
+# Make sure the bug ID is a positive integer representing an existing
+# bug that the user is authorized to access.
+ValidateBugID($::FORM{'id'});
+
+######################################################################
+# End Data/Security Validation
+######################################################################
 
 my $id = $::FORM{'id'};
 my $linkedid = qq{<a href="show_bug.cgi?id=$id">$id</a>};
@@ -36,12 +53,6 @@ my $linkedid = qq{<a href="show_bug.cgi?id=$id">$id</a>};
 print "Content-type: text/html\n\n";
 PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid");
 
-ConnectToDatabase();
-
-quietly_check_login();
-
-$::usergroupset = $::usergroupset; # More warning suppression silliness.
-
 my %seen;
 
 sub DumpKids {
-- 
cgit v1.2.3-24-g4f1b