From bc521effbd39f4e88e8de50dac650acd8a46705f Mon Sep 17 00:00:00 2001 From: "jake%acutex.net" <> Date: Thu, 31 May 2001 22:52:23 +0000 Subject: Bugzilla was leaking information about bugs marked secure (using bug groups). This checkin fixes bugs 39524, 39527, 39531, and 39533. Patches by Myk Melez . r= jake@acutex.net --- showvotes.cgi | 61 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 31 insertions(+), 30 deletions(-) (limited to 'showvotes.cgi') diff --git a/showvotes.cgi b/showvotes.cgi index 575156786..bb87848f0 100755 --- a/showvotes.cgi +++ b/showvotes.cgi @@ -28,50 +28,51 @@ require "CGI.pl"; ConnectToDatabase(); +if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} && + !defined $::FORM{'user'})) { + confirm_login(); + $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}); +} else { + # Check whether or not the user is currently logged in without throwing + # an error if the user is not logged in. This function sets the value + # of $::usergroupset, the binary number that records the set of groups + # to which the user belongs and which gets used in ValidateBugID below + # to determine whether or not the user is authorized to access the bug + # whose votes are being shown or which is being voted on. + quietly_check_login(); +} + ################################################################################ -# START Form Data Validation +# Begin Data/Security Validation ################################################################################ -# For security and correctness, validate the value of the "voteon" form variable. -# Valid values are those containing a number that is the ID of an existing bug. -if (defined $::FORM{'voteon'}) { - $::FORM{'voteon'} =~ /^(\d+)$/; - $::FORM{'voteon'} = $1 || 0; - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'voteon'}"); - FetchSQLData() - || DisplayError("You entered an invalid bug number to vote on.") && exit; +# Make sure the bug ID is a positive integer representing an existing +# bug that the user is authorized to access. +if (defined $::FORM{'bug_id'}) { + ValidateBugID($::FORM{'bug_id'}); } -# For security and correctness, validate the value of the "bug_id" form variable. -# Valid values are those containing a number that is the ID of an existing bug. -if (defined $::FORM{'bug_id'}) { - $::FORM{'bug_id'} =~ /^(\d+)$/; - $::FORM{'bug_id'} = $1 || 0; - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'bug_id'}"); - FetchSQLData() - || DisplayError("You entered an invalid bug number.") && exit; +# Make sure the bug ID being voted on is a positive integer representing +# an existing bug that the user is authorized to access. +if (defined $::FORM{'voteon'}) { + ValidateBugID($::FORM{'voteon'}); } -# For security and correctness, validate the value of the "userid" form variable. -# Valid values are those containing a number that is the ID of an existing user. +# Make sure the user ID is a positive integer representing an existing user. if (defined $::FORM{'user'}) { - $::FORM{'user'} =~ /^(\d+)$/; - $::FORM{'user'} = $1 || 0; - SendSQL("SELECT userid FROM profiles WHERE userid = $::FORM{'user'}"); + $::FORM{'user'} =~ /^([1-9][0-9]*)$/ + || DisplayError("The user number is invalid.") + && exit; + SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}"); FetchSQLData() - || DisplayError("You specified an invalid user number.") && exit; + || DisplayError("User #$::FORM{'user'} does not exist.") + && exit; } ################################################################################ -# END Form Data Validation +# End Data/Security Validation ################################################################################ -if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} && - !defined $::FORM{'user'})) { - confirm_login(); - $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}); -} - print "Content-type: text/html\n\n"; if (defined $::FORM{'bug_id'}) { -- cgit v1.2.3-24-g4f1b