sanitycheck.cgi was able to be run by anybody - even people without Bugzilla accounts...

author jake%acutex.net <>

Sat, 2 Jun 2001 21:24:45 +0000 (21:24 +0000)

committer jake%acutex.net <>

Sat, 2 Jun 2001 21:24:45 +0000 (21:24 +0000)
author jake%acutex.net <>
Sat, 2 Jun 2001 21:24:45 +0000 (21:24 +0000)
committer jake%acutex.net <>
Sat, 2 Jun 2001 21:24:45 +0000 (21:24 +0000)
diff --git a/sanitycheck.cgi b/sanitycheck.cgi

index 2da7fde2fd32190859eb722e2228378670d13440..bc3b823c7a35e9603dc7f124a4311427ca3b924b 100755 (executable)
--- a/sanitycheck.cgi
+++ b/sanitycheck.cgi
@@ -27,10 +27,25 @@ require "CGI.pl";
  
  use vars %::FORM;
  
+ConnectToDatabase();
+
+confirm_login();
+
+# Make sure the user is authorized to access sanitycheck.cgi.  Access
+# is restricted to logged-in users who have "editbugs" privileges,
+# which is a reasonable compromise between allowing all users to access
+# the script (creating the potential for denial of service attacks)
+# and restricting access to this installation's administrators (which
+# prevents users with a legitimate interest in Bugzilla integrity
+# from accessing the script).
+UserInGroup("editbugs")
+  || DisplayError("You are not authorized to access this script,
+                   which is reserved for users with the ability to edit bugs.")
+  && exit;
+
  print "Content-type: text/html\n";
  print "\n";
  
-ConnectToDatabase();
  SendSQL("set SQL_BIG_TABLES=1");
  
  my $offervotecacherebuild = 0;