[SECURITY] Bug 253544: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when viewing the bug activity log. This only affects sites that use the 'insidergroup' feature.

Patch by Joel Peshkin <bugreport@peshkin.net>
r=zach,justdave, a=justdave

1 files changed, 9 insertions, 3 deletions

diff --git a/CGI.pl b/CGI.pl
index 4912610bc..311d349ce 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -315,7 +315,13 @@ sub GetBugActivity {
     if (defined $starttime) {
         $datepart = "and bugs_activity.bug_when > " . SqlQuote($starttime);
     }
-    
+    my $suppjoins = "";
+    my $suppwhere = "";
+    if (Param("insidergroup") && !UserInGroup(Param('insidergroup'))) {
+        $suppjoins = "LEFT JOIN attachments 
+                   ON attachments.attach_id = bugs_activity.attach_id";
+        $suppwhere = "AND NOT(COALESCE(attachments.isprivate,0))"; 
+    }
     my $query = "
         SELECT IFNULL(fielddefs.description, bugs_activity.fieldid),
                 fielddefs.name,
@@ -323,11 +329,11 @@ sub GetBugActivity {
                 DATE_FORMAT(bugs_activity.bug_when,'%Y.%m.%d %H:%i'),
                 bugs_activity.removed, bugs_activity.added,
                 profiles.login_name
-        FROM bugs_activity LEFT JOIN fielddefs ON 
+        FROM bugs_activity $suppjoins LEFT JOIN fielddefs ON 
                                      bugs_activity.fieldid = fielddefs.fieldid,
              profiles
         WHERE bugs_activity.bug_id = $id $datepart
-              AND profiles.userid = bugs_activity.who
+              AND profiles.userid = bugs_activity.who $suppwhere
         ORDER BY bugs_activity.bug_when";
 
     SendSQL($query);