aboutsummaryrefslogtreecommitdiffstats
path: root/show_bug.cgi
diff options
context:
space:
mode:
authorjustdave%bugzilla.org <>2004-10-25 14:25:58 +0000
committerjustdave%bugzilla.org <>2004-10-25 14:25:58 +0000
commit53bd4df6f142c240d7beaa6b6789839da1f5f164 (patch)
treeb289d2cc6c469fb86b67461f76e0b88521a58643 /show_bug.cgi
parent23df77be557e495a78808769378ce1f29ac00b4f (diff)
downloadbugs-53bd4df6f142c240d7beaa6b6789839da1f5f164.tar
bugs-53bd4df6f142c240d7beaa6b6789839da1f5f164.tar.gz
bugs-53bd4df6f142c240d7beaa6b6789839da1f5f164.tar.bz2
bugs-53bd4df6f142c240d7beaa6b6789839da1f5f164.tar.xz
bugs-53bd4df6f142c240d7beaa6b6789839da1f5f164.zip
[SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and attachment summaries which are marked as private to users who are not members of the group allowed to see private comments and attachments. XML export is not exposed in the user interface, but is available to anyone who knows the correct URL to invoke it. This only affects sites that use the 'insidergroup' feature.
Patch by Joel Peshkin <bugreport@peshkin.net> r=vladd,justdave, a=justdave
Diffstat (limited to 'show_bug.cgi')
-rwxr-xr-xshow_bug.cgi4
1 files changed, 4 insertions, 0 deletions
diff --git a/show_bug.cgi b/show_bug.cgi
index 4803ff67b..03cf6f60d 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -113,6 +113,10 @@ if ($cgi->param("field")) {
@fieldlist = $cgi->param("field");
}
+unless (UserInGroup(Param("timetrackinggroup"))) {
+ @fieldlist = grep($_ !~ /_time$/, @fieldlist);
+}
+
foreach (@fieldlist) {
$displayfields{$_} = 1;
}