From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 4 Aug 2010 21:59:52 +0000 (+0200)
Subject: Bug 577139: (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know... 
X-Git-Tag: bugzilla-3.2.8~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d52090dd2ee6746e7eb27bef0805754373e8a9fe;p=thirdparty%2Fbugzilla.git

Bug 577139: (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know whether a product exists or not
r=mkanat a=LpSolit
---

diff --git a/Bugzilla/Product.pm b/Bugzilla/Product.pm
index 95a0e38407..c7f1e11922 100644
--- a/Bugzilla/Product.pm
+++ b/Bugzilla/Product.pm
@@ -266,16 +266,23 @@ sub classification_id { return $_[0]->{'classification_id'}; }
 ###############################
 
 sub check_product {
-    my ($product_name) = @_;
+    my ($product_name, $check_can_access) = @_;
 
-    unless ($product_name) {
-        ThrowUserError('product_not_specified');
-    }
+    $product_name || ThrowUserError('product_not_specified');
     my $product = new Bugzilla::Product({name => $product_name});
-    unless ($product) {
-        ThrowUserError('product_doesnt_exist',
-                       {'product' => $product_name});
+    if (!$product) {
+        if ($check_can_access) {
+            ThrowUserError('product_access_denied', { product => $product_name });
+        }
+        else {
+            ThrowUserError('product_doesnt_exist', { product => $product_name });
+        }
     }
+
+    if ($check_can_access && !Bugzilla->user->can_access_product($product->name)) {
+        ThrowUserError('product_access_denied', { product => $product_name });
+    }
+
     return $product;
 }
 
@@ -451,12 +458,14 @@ than calling those accessors on every item in the array individually.
 This function is not exported, so must be called like 
 C<Bugzilla::Product::preload($products)>.
 
-=item C<check_product($product_name)>
+=item C<check_product($product_name, $check_can_access)>
 
  Description: Checks if the product name was passed in and if is a valid
               product.
 
  Params:      $product_name - String with a product name.
+              $check_can_access - (optional) If set to true, the function
+              will also make sure that the user can access the product.
 
  Returns:     Bugzilla::Product object.
 
diff --git a/duplicates.cgi b/duplicates.cgi
index 32553a39d7..25600f7868 100755
--- a/duplicates.cgi
+++ b/duplicates.cgi
@@ -86,7 +86,9 @@ my @buglist = (split(/[:,]/, formvalue("bug_id")));
 
 # Make sure all products are valid.
 foreach my $p (@query_products) {
-    Bugzilla::Product::check_product($p);
+    # The second argument is set to true so that an error
+    # is thrown if the product is not accessible by the user.
+    Bugzilla::Product::check_product($p, 1);
 }
 
 # Small backwards-compatibility hack, dated 2002-04-10.
diff --git a/request.cgi b/request.cgi
index cad1f6f533..5b6ca4fc69 100755
--- a/request.cgi
+++ b/request.cgi
@@ -210,7 +210,9 @@ sub queue {
     
     # Filter results by exact product or component.
     if (defined $cgi->param('product') && $cgi->param('product') ne "") {
-        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'));
+        # The second argument is set to true so that an error is thrown
+        # if the product is not accessible by the user.
+        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'), 1);
         push(@criteria, "bugs.product_id = " . $product->id);
         push(@excluded_columns, 'product') unless $cgi->param('do_union');
         if (defined $cgi->param('component') && $cgi->param('component') ne "") {