Bug 577139: (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know...

r=mkanat a=LpSolit

diff --git a/Bugzilla/Product.pm b/Bugzilla/Product.pm
index 0b1a11a5dd53971f48c83d03e3a4868ec1f21451..b118d4bf4b1d53e469573dde4a9f8c7ce17dbdc4 100644 (file)
--- a/Bugzilla/Product.pm
+++ b/Bugzilla/Product.pm
@@ -870,16 +870,23 @@ sub classification_id { return $_[0]->{'classification_id'}; }
 ###############################
 
 sub check_product {
-    my ($product_name) = @_;
+    my ($product_name, $check_can_access) = @_;
 
-    unless ($product_name) {
-        ThrowUserError('product_not_specified');
-    }
+    $product_name || ThrowUserError('product_not_specified');
     my $product = new Bugzilla::Product({name => $product_name});
-    unless ($product) {
-        ThrowUserError('product_doesnt_exist',
-                       {'product' => $product_name});
+    if (!$product) {
+        if ($check_can_access) {
+            ThrowUserError('product_access_denied', { product => $product_name });
+        }
+        else {
+            ThrowUserError('product_doesnt_exist', { product => $product_name });
+        }
     }
+
+    if ($check_can_access && !Bugzilla->user->can_access_product($product->name)) {
+        ThrowUserError('product_access_denied', { product => $product_name });
+    }
+
     return $product;
 }
 
@@ -1058,12 +1065,14 @@ than calling those accessors on every item in the array individually.
 This function is not exported, so must be called like 
 C<Bugzilla::Product::preload($products)>.
 
-=item C<check_product($product_name)>
+=item C<check_product($product_name, $check_can_access)>
 
  Description: Checks if the product name was passed in and if is a valid
               product.
 
  Params:      $product_name - String with a product name.
+              $check_can_access - (optional) If set to true, the function
+              will also make sure that the user can access the product.
 
  Returns:     Bugzilla::Product object.
 

diff --git a/duplicates.cgi b/duplicates.cgi
index af239d6323e96d52858697e865e76c0d4e8fc75a..943d920aec6a901960c009f5761f12472083d5c2 100755 (executable)
--- a/duplicates.cgi
+++ b/duplicates.cgi
@@ -73,7 +73,9 @@ my @buglist = (split(/[:,]/, formvalue("bug_id")));
 
 # Make sure all products are valid.
 foreach my $p (@query_products) {
-    Bugzilla::Product::check_product($p);
+    # The second argument is set to true so that an error
+    # is thrown if the product is not accessible by the user.
+    Bugzilla::Product::check_product($p, 1);
 }
 
 # Small backwards-compatibility hack, dated 2002-04-10.

diff --git a/request.cgi b/request.cgi
index 5dfb76ddb975a26525ad4c5899d173d2dbd66aa5..fb56bfe81dd5a72c204bdca9ac9232bac88ec902 100755 (executable)
--- a/request.cgi
+++ b/request.cgi
@@ -207,7 +207,9 @@ sub queue {
     
     # Filter results by exact product or component.
     if (defined $cgi->param('product') && $cgi->param('product') ne "") {
-        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'));
+        # The second argument is set to true so that an error is thrown
+        # if the product is not accessible by the user.
+        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'), 1);
         push(@criteria, "bugs.product_id = " . $product->id);
         push(@excluded_columns, 'product') unless $cgi->param('do_union');
         if (defined $cgi->param('component') && $cgi->param('component') ne "") {