Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being...

r=mkanat a=LpSolit

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index c489a9b7b693bfdbe9f71d6dfde707acb3cf65df..ad6abc3190f5ff7cb9b3f4fcf8f05c291311c579 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1036,7 +1036,8 @@ sub _contact_exact_group {
     $$v =~ m/%group\\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{$user->flatten_group_membership($groupid)};
     my $table = "user_group_map_$$chartid";
     push (@$supptables, "LEFT JOIN user_group_map AS $table " .
@@ -1108,7 +1109,8 @@ sub _cc_exact_group {
     $$v =~ m/%group\\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{$user->flatten_group_membership($groupid)};
     my $chartseq = $$chartid;
     if ($$chartid eq "") {