Skip to content

bugzilla
bugzilla
Commit 9910fc71 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 308256: [SECURITY] config.cgi doesn't check Param('requirelogin') - Patch by…

Bug 308256: [SECURITY] config.cgi doesn't check Param('requirelogin') - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=justdave
parent 5a10048e
Show whitespace changes
Inline Side-by-side
Showing with 33 additions and 13 deletions
config.cgi
View file @ 9910fc71
...@@ -32,9 +32,8 @@ use strict; ...@@ -32,9 +32,8 @@ use strict;
# Include the Bugzilla CGI and general utility library. # Include the Bugzilla CGI and general utility library.
use lib qw(.); use lib qw(.);
require "globals.pl"; require "globals.pl";
use Bugzilla;
# Retrieve this installation's configuration. use Bugzilla::Constants;
GetVersionTable();
# Suppress "used only once" warnings. # Suppress "used only once" warnings.
use vars use vars
...@@ -53,7 +52,18 @@ use vars ...@@ -53,7 +52,18 @@ use vars
# Use the global template variables defined in globals.pl # Use the global template variables defined in globals.pl
# to generate the output. # to generate the output.
use vars qw($template $vars); use vars qw($vars);
my $user = Bugzilla->login(LOGIN_OPTIONAL);
# If the 'requirelogin' parameter is on and the user is not
# authenticated, return empty fields.
if (Param('requirelogin') && !$user->id) {
display_data();
}
# Retrieve this installation's configuration.
GetVersionTable();
# Pass a bunch of Bugzilla configuration to the templates. # Pass a bunch of Bugzilla configuration to the templates.
$vars->{'priority'} = \@::legal_priority; $vars->{'priority'} = \@::legal_priority;
...@@ -65,7 +75,7 @@ $vars->{'resolution'} = \@::legal_resolution; ...@@ -65,7 +75,7 @@ $vars->{'resolution'} = \@::legal_resolution;
$vars->{'status'} = \@::legal_bug_status; $vars->{'status'} = \@::legal_bug_status;
# Include a list of product objects. # Include a list of product objects.
$vars->{'products'} = Bugzilla->user->get_selectable_products; $vars->{'products'} = $user->get_selectable_products;
# Create separate lists of open versus resolved statuses. This should really # Create separate lists of open versus resolved statuses. This should really
# be made part of the configuration. # be made part of the configuration.
...@@ -81,15 +91,25 @@ $vars->{'closed_status'} = \@closed_status; ...@@ -81,15 +91,25 @@ $vars->{'closed_status'} = \@closed_status;
# Generate a list of fields that can be queried. # Generate a list of fields that can be queried.
$vars->{'field'} = [Bugzilla->dbh->bz_get_field_defs()]; $vars->{'field'} = [Bugzilla->dbh->bz_get_field_defs()];
# Determine how the user would like to receive the output; display_data($vars);
# default is JavaScript.
my $cgi = Bugzilla->cgi;
my $format = $template->get_format("config", scalar($cgi->param('format')), sub display_data {
my $vars = shift;
my $cgi = Bugzilla->cgi;
my $template = Bugzilla->template;
# Determine how the user would like to receive the output;
# default is JavaScript.
my $format = $template->get_format("config", scalar($cgi->param('format')),
scalar($cgi->param('ctype')) || "js"); scalar($cgi->param('ctype')) || "js");
# Return HTTP headers. # Return HTTP headers.
print "Content-Type: $format->{'ctype'}\n\n"; print "Content-Type: $format->{'ctype'}\n\n";
# Generate the configuration file and return it to the user. # Generate the configuration file and return it to the user.
$template->process($format->{'template'}, $vars) $template->process($format->{'template'}, $vars)
|| ThrowTemplateError($template->error()); || ThrowTemplateError($template->error());
exit;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment