Bug 309952: (CVE-2010-1204) [SECURITY] Protect boolean chart searches for

author Max Kanat-Alexander <mkanat@bugzilla.org>

Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)

committer Max Kanat-Alexander <mkanat@bugzilla.org>

Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)
author Max Kanat-Alexander <mkanat@bugzilla.org>
Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)
committer Max Kanat-Alexander <mkanat@bugzilla.org>
Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm

index 8fda3dfbcfdb73bb1c48b9618e14d3f56b252090..9f13d0117b96410e5b507f76a77e8d5eda25da40 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -802,6 +802,12 @@ sub init {
      %chartfields = @{$dbh->selectcol_arrayref(
          q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
  
+    if (!$user->is_timetracker) {
+        foreach my $tt_field (TIMETRACKING_FIELDS) {
+            delete $chartfields{$tt_field};
+        }
+    }
+
      $row = 0;
      for ($chart=-1 ;
           $chart < 0 || $params->param("field$chart-0-0") ;
author	Max Kanat-Alexander <mkanat@bugzilla.org>
	Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)
committer	Max Kanat-Alexander <mkanat@bugzilla.org>
	Thu, 24 Jun 2010 17:07:37 +0000 (10:07 -0700)