Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users…

Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being in any given group r=mkanat a=LpSolit

Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users…
1741f7c9 · Frédéric Buclin · 14242731 · 1741f7c9
Commit 1741f7c9 authored Aug 04, 2010 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

Search.pm Bugzilla/Search.pm +7 -0

No files found.
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
    my ($value, $operator, $field, $chart_id, $joins) =
        @$args{qw(value operator field chart_id joins)};
    my $dbh = Bugzilla->dbh;
+    my $user = $self->_user;
    
    $value =~ /\%group\.([^%]+)%/;
    my $group = Bugzilla::Group->check($1);
    $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
    my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
    my $table = "user_group_map_$chart_id";
    my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
    $value =~ m/%group\.([^%]+)%/;
    my $group = Bugzilla::Group->check($1);
    $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
    my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);

    # This is for the email1, email2, email3 fields from query.cgi.