Bug 777586: (CVE-2012-1969) [SECURITY] The description of private attachments is...

r=glob a=LpSolit

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index bb5ff5eda742717984406e995c29d887f95f762c..153812e96f794e6bd5920970b5a99585b8453e97 100644 (file)
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -266,13 +266,16 @@ sub quoteUrls {
 sub get_attachment_link {
     my ($attachid, $link_text) = @_;
     my $dbh = Bugzilla->dbh;
+    my $user = Bugzilla->user;
 
     my $attachment = new Bugzilla::Attachment($attachid);
 
     if ($attachment) {
         my $title = "";
         my $className = "";
-        if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+        if ($user->can_see_bug($attachment->bug_id)
+            && (!$attachment->isprivate || $user->is_insider))
+        {
             $title = $attachment->description;
         }
         if ($attachment->isobsolete) {