Bugzilla was leaking information about bugs marked secure (using bug groups). This checkin fixes bugs 39524, 39527, 39531, and 39533.

Patches by Myk Melez <myk@mozilla.org>.
r= jake@acutex.net

1 files changed, 31 insertions, 30 deletions

diff --git a/showvotes.cgi b/showvotes.cgi
index 575156786..bb87848f0 100755
--- a/showvotes.cgi
+++ b/showvotes.cgi
@@ -28,50 +28,51 @@ require "CGI.pl";
 
 ConnectToDatabase();
 
+if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} &&
+                                  !defined $::FORM{'user'})) {
+    confirm_login();
+    $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'});
+} else {
+  # Check whether or not the user is currently logged in without throwing
+  # an error if the user is not logged in. This function sets the value 
+  # of $::usergroupset, the binary number that records the set of groups 
+  # to which the user belongs and which gets used in ValidateBugID below
+  # to determine whether or not the user is authorized to access the bug
+  # whose votes are being shown or which is being voted on.
+  quietly_check_login();
+}
+
 ################################################################################
-# START Form Data Validation
+# Begin Data/Security Validation
 ################################################################################
 
-# For security and correctness, validate the value of the "voteon" form variable.
-# Valid values are those containing a number that is the ID of an existing bug.
-if (defined $::FORM{'voteon'}) {
-  $::FORM{'voteon'} =~ /^(\d+)$/;
-  $::FORM{'voteon'} = $1 || 0;
-  SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'voteon'}");
-  FetchSQLData() 
-    || DisplayError("You entered an invalid bug number to vote on.") && exit;
+# Make sure the bug ID is a positive integer representing an existing
+# bug that the user is authorized to access.
+if (defined $::FORM{'bug_id'}) {
+  ValidateBugID($::FORM{'bug_id'});
 }
 
-# For security and correctness, validate the value of the "bug_id" form variable.
-# Valid values are those containing a number that is the ID of an existing bug.
-if (defined $::FORM{'bug_id'}) {
-  $::FORM{'bug_id'} =~ /^(\d+)$/;
-  $::FORM{'bug_id'} = $1 || 0;
-  SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'bug_id'}");
-  FetchSQLData() 
-    || DisplayError("You entered an invalid bug number.") && exit;
+# Make sure the bug ID being voted on is a positive integer representing 
+# an existing bug that the user is authorized to access.
+if (defined $::FORM{'voteon'}) {
+  ValidateBugID($::FORM{'voteon'});
 }
 
-# For security and correctness, validate the value of the "userid" form variable.
-# Valid values are those containing a number that is the ID of an existing user.
+# Make sure the user ID is a positive integer representing an existing user.
 if (defined $::FORM{'user'}) {
-  $::FORM{'user'} =~ /^(\d+)$/;
-  $::FORM{'user'} = $1 || 0;
-  SendSQL("SELECT userid FROM profiles WHERE userid = $::FORM{'user'}");
+  $::FORM{'user'} =~ /^([1-9][0-9]*)$/
+    || DisplayError("The user number is invalid.") 
+    && exit;
+  SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}");
   FetchSQLData() 
-    || DisplayError("You specified an invalid user number.") && exit;
+    || DisplayError("User #$::FORM{'user'} does not exist.") 
+    && exit;
 }
 
 ################################################################################
-# END Form Data Validation
+# End Data/Security Validation
 ################################################################################
 
-if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} &&
-                                  !defined $::FORM{'user'})) {
-    confirm_login();
-    $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'});
-}
-
 print "Content-type: text/html\n\n";
 
 if (defined $::FORM{'bug_id'}) {