aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2003-11-03 11:25:51 +0000
committerjustdave%syndicomm.com <>2003-11-03 11:25:51 +0000
commita30e5f2cf9b04a8a377186ecb3b90b4311d23894 (patch)
treeefbcccbae8cd64c293ff40069e8ee298c14160d5
parent808d96e117740d8cd8221dbf3c82c54de1bb7272 (diff)
downloadbugs-a30e5f2cf9b04a8a377186ecb3b90b4311d23894.tar
bugs-a30e5f2cf9b04a8a377186ecb3b90b4311d23894.tar.gz
bugs-a30e5f2cf9b04a8a377186ecb3b90b4311d23894.tar.bz2
bugs-a30e5f2cf9b04a8a377186ecb3b90b4311d23894.tar.xz
bugs-a30e5f2cf9b04a8a377186ecb3b90b4311d23894.zip
[SECURITY] Bug 209742: Under some circumstances, a user can obtain component descriptions for a product to which he does not normally have access.
Patch by Ryan Cleary <tryanc@interdimensions.com> r= joel, bbaetz a= justdave
-rwxr-xr-xdescribecomponents.cgi2
1 files changed, 1 insertions, 1 deletions
diff --git a/describecomponents.cgi b/describecomponents.cgi
index ff7f46ac8..05af91949 100755
--- a/describecomponents.cgi
+++ b/describecomponents.cgi
@@ -46,7 +46,7 @@ if (!defined $::FORM{'product'}) {
# Reference to a subset of %::proddesc, which the user is allowed to see
my %products;
- if (AnyDefaultGroups()) {
+ if (AnyEntryGroups()) {
# OK, now only add products the user can see
confirm_login() unless $::userid;
foreach my $p (@::legal_product) {