Commit b3ecc440 authored by Simon Green's avatar Simon Green Committed by Frédéric Buclin

Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of…

Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access r/a=LpSolit
parent adf712e6
...@@ -57,6 +57,14 @@ sub get_param_list { ...@@ -57,6 +57,14 @@ sub get_param_list {
}, },
{ {
name => 'debug_group',
type => 's',
choices => \&_get_all_group_names,
default => 'admin',
checker => \&check_group
},
{
name => 'usevisibilitygroups', name => 'usevisibilitygroups',
type => 'b', type => 'b',
default => 0 default => 0
......
...@@ -736,7 +736,10 @@ $::SIG{PIPE} = 'DEFAULT'; ...@@ -736,7 +736,10 @@ $::SIG{PIPE} = 'DEFAULT';
my ($data, $extra_data) = $search->data; my ($data, $extra_data) = $search->data;
$vars->{'search_description'} = $search->search_description; $vars->{'search_description'} = $search->search_description;
if ($cgi->param('debug')) { if ($cgi->param('debug')
&& Bugzilla->params->{debug_group}
&& $user->in_group(Bugzilla->params->{debug_group})
) {
$vars->{'debug'} = 1; $vars->{'debug'} = 1;
$vars->{'queries'} = $extra_data; $vars->{'queries'} = $extra_data;
my $query_time = 0; my $query_time = 0;
......
...@@ -257,7 +257,13 @@ $vars->{'width'} = $width; ...@@ -257,7 +257,13 @@ $vars->{'width'} = $width;
$vars->{'height'} = $height; $vars->{'height'} = $height;
$vars->{'queries'} = $extra_data; $vars->{'queries'} = $extra_data;
$vars->{'saved_report_id'} = $cgi->param('saved_report_id'); $vars->{'saved_report_id'} = $cgi->param('saved_report_id');
$vars->{'debug'} = $cgi->param('debug');
if ($cgi->param('debug')
&& Bugzilla->params->{debug_group}
&& Bugzilla->user->in_group(Bugzilla->params->{debug_group})
) {
$vars->{'debug'} = 1;
}
if ($action eq "wrap") { if ($action eq "wrap") {
# So which template are we using? If action is "wrap", we will be using # So which template are we using? If action is "wrap", we will be using
......
...@@ -29,6 +29,9 @@ ...@@ -29,6 +29,9 @@
querysharegroup => "The name of the group of users who can share their " _ querysharegroup => "The name of the group of users who can share their " _
"saved searches with others.", "saved searches with others.",
debug_group => "The name of the group of users who can view the actual " _
"SQL query generated when viewing $terms.bug lists and reports.",
usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _ usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
"specific groups?", "specific groups?",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment