Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being...

r=mkanat a=LpSolit

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 7a6fe60f29e305544e911da6d5a4c09feb16d384..abd3fd53ea475e8199cdae2ed112ddd9d9c694e4 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
     my ($value, $operator, $field, $chart_id, $joins) =
         @$args{qw(value operator field chart_id joins)};
     my $dbh = Bugzilla->dbh;
+    my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
     my $table = "user_group_map_$chart_id";
     my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
     $value =~ m/%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);
 
     # This is for the email1, email2, email3 fields from query.cgi.