Landing Myk's patch for bug #71767

24bf6d11 · tara%tequilarista.org · b42289bb · 24bf6d11 · 24bf6d11 · 24bf6d11
Commit 24bf6d11 authored Jun 03, 2001 by tara%tequilarista.org
Show whitespace changes
Inline Side-by-side

Showing with 63 additions and 16 deletions

CGI.pl CGI.pl +25 -7

process_bug.cgi process_bug.cgi +14 -0

show_bug.cgi show_bug.cgi +24 -9

No files found.
--- a/CGI.pl
+++ b/CGI.pl
@@ -238,11 +238,20 @@ sub ValidateBugID {
      || DisplayError("The bug number is invalid.") 
      && exit;

-  # Make sure the usergroupset variable is set.  This variable stores
-  # the set of groups the user is a member of.  This variable should
-  # be set by either confirm_login or quietly_check_login, but we set
-  # it here just in case one of those functions has not been run yet.
-  $::usergroupset ||= 0;
+    # Get the values of the usergroupset and userid global variables
+    # and write them to local variables for use within this function,
+    # setting those local variables to the default value of zero if
+    # the global variables are undefined.
+
+    # "usergroupset" stores the set of groups the user is a member of,
+    # while "userid" stores the user's unique ID.  These variables are
+    # set globally by either confirm_login() or quietly_check_login(),
+    # one of which should be run before calling this function; otherwise
+    # this function will treat the user as if they were not logged in
+    # and throw an error if they try to access a bug that requires
+    # permissions/authorization to access.
+    my $usergroupset = $::usergroupset || 0;
+    my $userid = $::userid || 0;

    # Query the database for the bug, retrieving a boolean value that
    # represents whether or not the user is authorized to access the bug.  
@@ -260,7 +269,7 @@ sub ValidateBugID {
    # may or may not support integers larger than 32 bits.  Using bitsets
    # and doing bitset arithmetic is probably not cross-database compatible,
    # however, so these mechanisms are likely to change in the future.
-  SendSQL("SELECT ((groupset & $::usergroupset) = groupset) 
+    SendSQL("SELECT ((groupset & $usergroupset) = groupset) 
             FROM bugs WHERE bug_id = $id");

    # Make sure the bug exists in the database.
@@ -271,7 +280,16 @@ sub ValidateBugID {
    # Make sure the user is authorized to access the bug.
    my ($isauthorized) = FetchSQLData();
    $isauthorized
-    || DisplayError("You are not authorized to access bug #$id.")
+      || (
+           $userid ?
+           DisplayError("You are not authorized to access bug #$id.") : 
+           DisplayError(
+             qq|You are not authorized to access bug #$id. 
+             To see this bug, you must first 
+             <a href="show_bug.cgi?id=$id&GoAheadAndLogIn=1">log in</a> 
+             to an account with the appropriate permissions.|
+           )
+         )
      && exit;
 }


--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -73,6 +73,20 @@ foreach my $id (@idlist) {
    ValidateBugID($id);
 }

+# If the user has a bug list and is processing one bug, then after
+# we process the bug we are going to show them the next bug on their
+# list.  Thus we have to make sure this bug ID is also valid,
+# since a malicious cracker might alter their cookies for the purpose
+# gaining access to bugs they are not authorized to access.
+if ( $::COOKIE{"BUGLIST"} ne "" && defined $::FORM{'id'} ) {
+    my @buglist = split( /:/ , $::COOKIE{"BUGLIST"} );
+    my $idx = lsearch( \@buglist , $::FORM{"id"} );
+    if ($idx < $#buglist) {
+        my $nextbugid = $buglist[$idx + 1];
+        ValidateBugID($nextbugid);
+    }
+}
+
 ######################################################################
 # End Data/Security Validation
 ######################################################################

--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -29,12 +29,28 @@ ConnectToDatabase();

 if ($::FORM{'GoAheadAndLogIn'}) {
    confirm_login();
+} else {
+    quietly_check_login();
 }

+######################################################################
+# Begin Data/Security Validation
+######################################################################
+
+# Make sure the bug ID is a positive integer representing an existing
+# bug that the user is authorized to access.
+if (defined ($::FORM{'id'})) {
+    ValidateBugID($::FORM{'id'});
+}
+
+######################################################################
+# End Data/Security Validation
+######################################################################
+
 print "Content-type: text/html\n";
 print "\n";

-if (!defined $::FORM{'id'} || $::FORM{'id'} !~ /^\s*\d+\s*$/) {
+if (!defined $::FORM{'id'}) {
    PutHeader("Search by bug number");
    print "<FORM METHOD=GET ACTION=\"show_bug.cgi\">\n";
    print "You may find a single bug by entering its bug id here: \n";
@@ -47,14 +63,13 @@ if (!defined $::FORM{'id'} || $::FORM{'id'} !~ /^\s*\d+\s*$/) {

 GetVersionTable();

-SendSQL("select short_desc, groupset from bugs where bug_id = $::FORM{'id'}");
-my ($summary, $groupset) = FetchSQLData();
-if( $summary && $groupset == 0) {
-    $summary = html_quote($summary);
-    PutHeader("Bug $::FORM{'id'} - $summary", "Bugzilla Bug $::FORM{'id'}", $summary );
-}else {
-    PutHeader("Bugzilla bug $::FORM{'id'}", "Bugzilla Bug", $::FORM{'id'});
-}
+# Get the bug's summary (short description) and display it as
+# the page title.
+SendSQL("SELECT short_desc FROM bugs WHERE bug_id = $::FORM{'id'}");
+my ($summary) = FetchSQLData();
+$summary = html_quote($summary);
+PutHeader("Bug $::FORM{'id'} - $summary", "Bugzilla Bug $::FORM{'id'}", $summary );
+
 navigation_header();

 print "<HR>\n";