Commit b3ecc440 authored by Simon Green's avatar Simon Green Committed by Frédéric Buclin

Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of…

Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access r/a=LpSolit
parent adf712e6
......@@ -57,6 +57,14 @@ sub get_param_list {
},
{
name => 'debug_group',
type => 's',
choices => \&_get_all_group_names,
default => 'admin',
checker => \&check_group
},
{
name => 'usevisibilitygroups',
type => 'b',
default => 0
......
......@@ -736,7 +736,10 @@ $::SIG{PIPE} = 'DEFAULT';
my ($data, $extra_data) = $search->data;
$vars->{'search_description'} = $search->search_description;
if ($cgi->param('debug')) {
if ($cgi->param('debug')
&& Bugzilla->params->{debug_group}
&& $user->in_group(Bugzilla->params->{debug_group})
) {
$vars->{'debug'} = 1;
$vars->{'queries'} = $extra_data;
my $query_time = 0;
......
......@@ -257,7 +257,13 @@ $vars->{'width'} = $width;
$vars->{'height'} = $height;
$vars->{'queries'} = $extra_data;
$vars->{'saved_report_id'} = $cgi->param('saved_report_id');
$vars->{'debug'} = $cgi->param('debug');
if ($cgi->param('debug')
&& Bugzilla->params->{debug_group}
&& Bugzilla->user->in_group(Bugzilla->params->{debug_group})
) {
$vars->{'debug'} = 1;
}
if ($action eq "wrap") {
# So which template are we using? If action is "wrap", we will be using
......
......@@ -29,6 +29,9 @@
querysharegroup => "The name of the group of users who can share their " _
"saved searches with others.",
debug_group => "The name of the group of users who can view the actual " _
"SQL query generated when viewing $terms.bug lists and reports.",
usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
"specific groups?",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment