From 79b572263ea0dfcc1638757057825c3e6a2ee38d Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 04:04:55 +0000
Subject: Bug 346086: [SECURITY] attachment.cgi lets you view descriptions of
 private attachments even when you are not in the insidergroup - Patch by
 Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 template/en/default/attachment/list.html.tmpl          |  3 +--
 template/en/default/attachment/show-multiple.html.tmpl | 12 ++++++------
 template/en/default/filterexceptions.pl                |  2 +-
 3 files changed, 8 insertions(+), 9 deletions(-)

(limited to 'template')

diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index adb927e1a..a0445b16a 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -32,11 +32,10 @@
     [% END %]
     <th bgcolor="#cccccc" align="left">Actions</th>
   </tr>
-  [% canseeprivate = !Param("insidergroup") || user.in_group(Param("insidergroup")) %]
   [% count = 0 %]
   [% FOREACH attachment = attachments %]
     [% count = count + 1 %]
-    [% IF !attachment.isprivate || canseeprivate %]
+    [% IF !attachment.isprivate || user.is_insider || attachment.attacher.id == user.id %]
       <tr [% "class=\"bz_private\"" IF attachment.isprivate %]>
         <td valign="top">
           <a name="a[% count %]" href="attachment.cgi?id=[% attachment.id %]">[% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %]</a>
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl
index ca2690c6e..ad0dfbafd 100644
--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -41,7 +41,7 @@
   <table class="attachment_info" cellspacing="0" cellpadding="4" border="1" width="75%">
     <tr>
       <td valign="top" bgcolor="#cccccc" colspan="6">
-        <big><b>Attachment #[% a.attachid %]</b></big>
+        <big><b>Attachment #[% a.id %]</b></big>
       </td>
     </tr>
     <tr>
@@ -57,7 +57,7 @@
         [% END %]
       </td>
 
-      <td valign="top">[% a.date FILTER time %]</td>
+      <td valign="top">[% a.attached FILTER time %]</td>
       <td valign="top">[% a.datasize FILTER unitconvert %]</td>
 
       <td valign="top">
@@ -76,20 +76,20 @@
       </td>
 
       <td valign="top">
-        <a href="attachment.cgi?id=[% a.attachid %]&amp;action=edit">Details</a>
+        <a href="attachment.cgi?id=[% a.id %]&amp;action=edit">Details</a>
       </td>
     </tr>
   </table>
 
   [% IF a.isviewable %]
-    <iframe src="attachment.cgi?id=[% a.attachid %]" width="75%" height="350">
+    <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
       <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
-      <a href="attachment.cgi?id=[% a.attachid %]">View the attachment on a separate page</a>.</b>
+      <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
     </iframe>
   [% ELSE %]
     <p><b>
       Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.
-      <a href="attachment.cgi?id=[% a.attachid %]">Download the attachment instead</a>.
+      <a href="attachment.cgi?id=[% a.id %]">Download the attachment instead</a>.
     </b></p>
   [% END %]
   </div>
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index e80c758cd..d9a3e1913 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -436,7 +436,7 @@
 ],
 
 'attachment/show-multiple.html.tmpl' => [
-  'a.attachid', 
+  'a.id',
   'flag.status'
 ],
 
-- 
cgit v1.2.3-24-g4f1b