[SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and…

[SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and attachment summaries which are marked as private to users who are not members of the group allowed to see private comments and attachments. XML export is not exposed in the user interface, but is available to anyone who knows the correct URL to invoke it. This only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin <bugreport@peshkin.net> r=vladd,justdave, a=justdave

[SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and…
53bd4df6 · justdave%bugzilla.org · 23df77be · 53bd4df6 · 53bd4df6
Commit 53bd4df6 authored Oct 25, 2004 by justdave%bugzilla.org
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

show_bug.cgi show_bug.cgi +4 -0

show.xml.tmpl template/en/default/bug/show.xml.tmpl +2 -0

No files found.
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -113,6 +113,10 @@ if ($cgi->param("field")) {
    @fieldlist = $cgi->param("field");
 }
+unless (UserInGroup(Param("timetrackinggroup"))) {
+    @fieldlist = grep($_ !~ /_time$/, @fieldlist);
+}
 foreach (@fieldlist) {
    $displayfields{$_} = 1;
 }

--- a/template/en/default/bug/show.xml.tmpl
+++ b/template/en/default/bug/show.xml.tmpl
@@ -53,6 +53,7 @@
      [% IF displayfields.long_desc %]
        [% FOREACH c = bug.longdescs %]
+          [% NEXT IF c.isprivate && !UserInGroup(Param("insidergroup")) %]
          <long_desc>
            <who>[% c.email FILTER xml %]</who>
            <bug_when>[% c.time FILTER time FILTER xml %]</bug_when>
@@ -63,6 +64,7 @@
      [% IF displayfields.attachment %]
        [% FOREACH a = bug.attachments %]
+          [% NEXT IF a.isprivate && !UserInGroup(Param("insidergroup")) %]
          <attachment>
            <attachid>[% a.attachid %]</attachid>
            <date>[% a.date FILTER time FILTER xml %]</date>