Bug 674497: (CVE-2011-2979) [SECURITY] Custom searches let you determine if a group...

r=glob a=LpSolit

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index 16e72b29605c92d8a153b02623db1e20afb927da..a5c3e032da2d292c308a7732af400ae5cdd2e372 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -2007,7 +2007,7 @@ sub _contact_exact_group {
     my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
-    my $group = Bugzilla::Group->check($1);
+    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });
     $group->check_members_are_visible();
     $user->in_group($group)
       || ThrowUserError('invalid_group_name', {name => $group->name});
@@ -2054,7 +2054,7 @@ sub _cc_exact_group {
     my $dbh = Bugzilla->dbh;
     
     $value =~ m/%group\.([^%]+)%/;
-    my $group = Bugzilla::Group->check($1);
+    my $group = Bugzilla::Group->check({ name => $1, _error => 'invalid_group_name' });
     $group->check_members_are_visible();
     $user->in_group($group)
       || ThrowUserError('invalid_group_name', {name => $group->name});