Bug 777586: (CVE-2012-1969) [SECURITY] The description of private attachments is...

r=glob a=LpSolit

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index cc3d006135aa439b3b4a1f2328ef2640445640d5..801d702964ef3302bf02c5a62c50a67310c9e865 100644 (file)
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -270,13 +270,16 @@ sub quoteUrls {
 sub get_attachment_link {
     my ($attachid, $link_text) = @_;
     my $dbh = Bugzilla->dbh;
+    my $user = Bugzilla->user;
 
     my $attachment = new Bugzilla::Attachment($attachid);
 
     if ($attachment) {
         my $title = "";
         my $className = "";
-        if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+        if ($user->can_see_bug($attachment->bug_id)
+            && (!$attachment->isprivate || $user->is_insider))
+        {
             $title = $attachment->description;
         }
         if ($attachment->isobsolete) {