Skip to content

bugzilla
bugzilla
Commit 22628e0a authored by justdave%bugzilla.org's avatar justdave%bugzilla.org
Browse files
Options

[SECURITY] Bug 253544: Changes to the metadata (filename, description, mime…

[SECURITY] Bug 253544: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when viewing the bug activity log. This only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin <bugreport@peshkin.net> r=zach,justdave, a=justdave
parent 53bd4df6
Show whitespace changes
Inline Side-by-side
Showing with 9 additions and 3 deletions
CGI.pl
View file @ 22628e0a
...@@ -315,7 +315,13 @@ sub GetBugActivity { ...@@ -315,7 +315,13 @@ sub GetBugActivity {
if (defined $starttime) { if (defined $starttime) {
$datepart = "and bugs_activity.bug_when > " . SqlQuote($starttime); $datepart = "and bugs_activity.bug_when > " . SqlQuote($starttime);
} }
my $suppjoins = "";
my $suppwhere = "";
if (Param("insidergroup") && !UserInGroup(Param('insidergroup'))) {
$suppjoins = "LEFT JOIN attachments
ON attachments.attach_id = bugs_activity.attach_id";
$suppwhere = "AND NOT(COALESCE(attachments.isprivate,0))";
}
my $query = " my $query = "
SELECT COALESCE(fielddefs.description, bugs_activity.fieldid), SELECT COALESCE(fielddefs.description, bugs_activity.fieldid),
fielddefs.name, fielddefs.name,
...@@ -323,11 +329,11 @@ sub GetBugActivity { ...@@ -323,11 +329,11 @@ sub GetBugActivity {
DATE_FORMAT(bugs_activity.bug_when,'%Y.%m.%d %H:%i'), DATE_FORMAT(bugs_activity.bug_when,'%Y.%m.%d %H:%i'),
bugs_activity.removed, bugs_activity.added, bugs_activity.removed, bugs_activity.added,
profiles.login_name profiles.login_name
FROM bugs_activity LEFT JOIN fielddefs ON FROM bugs_activity $suppjoins LEFT JOIN fielddefs ON
bugs_activity.fieldid = fielddefs.fieldid, bugs_activity.fieldid = fielddefs.fieldid,
profiles profiles
WHERE bugs_activity.bug_id = $id $datepart WHERE bugs_activity.bug_id = $id $datepart
AND profiles.userid = bugs_activity.who AND profiles.userid = bugs_activity.who $suppwhere
ORDER BY bugs_activity.bug_when"; ORDER BY bugs_activity.bug_when";
SendSQL($query); SendSQL($query);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment