Bug 577139: (CVE-2010-2758) [SECURITY] request.cgi and duplicates.cgi let you know...

r=mkanat a=LpSolit

diff --git a/Bugzilla/Product.pm b/Bugzilla/Product.pm
index 95a0e38407a3cd4a04935c7176e67165669b8cf8..c7f1e119222e45c4c85c08e2d3e9ccf6f71fbbd9 100644 (file)
--- a/Bugzilla/Product.pm
+++ b/Bugzilla/Product.pm
@@ -266,16 +266,23 @@ sub classification_id { return $_[0]->{'classification_id'}; }
 ###############################
 
 sub check_product {
-    my ($product_name) = @_;
+    my ($product_name, $check_can_access) = @_;
 
-    unless ($product_name) {
-        ThrowUserError('product_not_specified');
-    }
+    $product_name || ThrowUserError('product_not_specified');
     my $product = new Bugzilla::Product({name => $product_name});
-    unless ($product) {
-        ThrowUserError('product_doesnt_exist',
-                       {'product' => $product_name});
+    if (!$product) {
+        if ($check_can_access) {
+            ThrowUserError('product_access_denied', { product => $product_name });
+        }
+        else {
+            ThrowUserError('product_doesnt_exist', { product => $product_name });
+        }
     }
+
+    if ($check_can_access && !Bugzilla->user->can_access_product($product->name)) {
+        ThrowUserError('product_access_denied', { product => $product_name });
+    }
+
     return $product;
 }
 
@@ -451,12 +458,14 @@ than calling those accessors on every item in the array individually.
 This function is not exported, so must be called like 
 C<Bugzilla::Product::preload($products)>.
 
-=item C<check_product($product_name)>
+=item C<check_product($product_name, $check_can_access)>
 
  Description: Checks if the product name was passed in and if is a valid
               product.
 
  Params:      $product_name - String with a product name.
+              $check_can_access - (optional) If set to true, the function
+              will also make sure that the user can access the product.
 
  Returns:     Bugzilla::Product object.
 

diff --git a/duplicates.cgi b/duplicates.cgi
index 32553a39d71be47c23b42621de0a0f7621872b2f..25600f7868afebea57a0795930d58475c8b3f5c2 100755 (executable)
--- a/duplicates.cgi
+++ b/duplicates.cgi
@@ -86,7 +86,9 @@ my @buglist = (split(/[:,]/, formvalue("bug_id")));
 
 # Make sure all products are valid.
 foreach my $p (@query_products) {
-    Bugzilla::Product::check_product($p);
+    # The second argument is set to true so that an error
+    # is thrown if the product is not accessible by the user.
+    Bugzilla::Product::check_product($p, 1);
 }
 
 # Small backwards-compatibility hack, dated 2002-04-10.

diff --git a/request.cgi b/request.cgi
index cad1f6f533d656a2fa7db0d000a71fb311d65541..5b6ca4fc69f7ccc5cd5ccd2fad0e6d0239d9eea0 100755 (executable)
--- a/request.cgi
+++ b/request.cgi
@@ -210,7 +210,9 @@ sub queue {
     
     # Filter results by exact product or component.
     if (defined $cgi->param('product') && $cgi->param('product') ne "") {
-        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'));
+        # The second argument is set to true so that an error is thrown
+        # if the product is not accessible by the user.
+        my $product = Bugzilla::Product::check_product(scalar $cgi->param('product'), 1);
         push(@criteria, "bugs.product_id = " . $product->id);
         push(@excluded_columns, 'product') unless $cgi->param('do_union');
         if (defined $cgi->param('component') && $cgi->param('component') ne "") {