[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime…

[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when receiving bug change notification mails. This only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko,justdave, a=justdave

[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime…
f4c3d847 · justdave%bugzilla.org · 22628e0a · f4c3d847
Commit f4c3d847 authored Oct 25, 2004 by justdave%bugzilla.org
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

BugMail.pm Bugzilla/BugMail.pm +10 -0

No files found.
--- a/Bugzilla/BugMail.pm
+++ b/Bugzilla/BugMail.pm
@@ -238,6 +238,11 @@ sub ProcessOneBug($) {
            $old = FormatTimeUnit($old);
            $new = FormatTimeUnit($new);
        }
+        if ($attachid) {
+            SendSQL("SELECT isprivate FROM attachments 
+                     WHERE attach_id = $attachid");
+            $diffpart->{'isprivate'} = FetchOneColumn();
+        }
        $difftext = FormatTriple($what, $old, $new);
        $diffpart->{'header'} = $diffheader;
        $diffpart->{'fieldname'} = $fieldname;
@@ -772,6 +777,11 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
            if ($user->groups->{Param("timetrackinggroup")}) {
                $add_diff = 1;
            }
+        } elsif (($diff->{'isprivate'}) 
+                 && Param('insidergroup')
+                 && !($user->groups->{Param('insidergroup')})
+                ) {
+            $add_diff = 0;
        } else {
            $add_diff = 1;
        }