diff options
author | justdave%syndicomm.com <> | 2003-11-03 11:20:49 +0000 |
---|---|---|
committer | justdave%syndicomm.com <> | 2003-11-03 11:20:49 +0000 |
commit | 808d96e117740d8cd8221dbf3c82c54de1bb7272 (patch) | |
tree | 4a74d0ab4379e8f8dd7a758256cfc779be4acc00 | |
parent | Bu 210735 - collectstats.pl broken. Removes "uninitialised value" warning. Pa... (diff) | |
download | bugzilla-808d96e117740d8cd8221dbf3c82c54de1bb7272.tar.gz bugzilla-808d96e117740d8cd8221dbf3c82c54de1bb7272.tar.bz2 bugzilla-808d96e117740d8cd8221dbf3c82c54de1bb7272.zip |
[SECURITY] Bug 209376: If you know the email address of someone who has voted on a secure bug, you can access the summary of that bug even if you do not have sufficient permissions to view the bug itself.
Patch by Gervase Markham <gerv@mozilla.org>
r= justdave, bbaetz a= justdave
-rwxr-xr-x | votes.cgi | 10 |
1 files changed, 3 insertions, 7 deletions
@@ -128,12 +128,8 @@ sub show_user { my $bug_id = $::FORM{'bug_id'} || ""; my $name = $::FORM{'user'} || Bugzilla->user->login; - my $who = DBname_to_id($name); - - # After DBNameToIdAndCheck is templatised and prints a Content-Type, - # the above should revert to a call to that function, and this - # special error handling should go away. - $who || ThrowUserError("invalid_username", {name => $name}); + my $who = DBNameToIdAndCheck($name); + my $userid = Bugzilla->user ? Bugzilla->user->id : 0; my $canedit = 1 if (Bugzilla->user && $name eq Bugzilla->user->login); @@ -193,7 +189,7 @@ sub show_user { # and they can see there are votes 'missing', but not on what bug # they are. This seems a reasonable compromise; the alternative is # to lie in the totals. - next if !CanSeeBug($id, $who); + next if !CanSeeBug($id, $userid); push (@bugs, { id => $id, summary => $summary, |