Bug 309952: (CVE-2010-1204) [SECURITY] Protect boolean chart searches for

author Max Kanat-Alexander <mkanat@bugzilla.org>

Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)

committer Max Kanat-Alexander <mkanat@bugzilla.org>

Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)
author Max Kanat-Alexander <mkanat@bugzilla.org>
Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)
committer Max Kanat-Alexander <mkanat@bugzilla.org>
Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm

index c606b774d97d4092b7529803611e826537e1486c..e9abe72e7312ff6367bdb26fd729dffce9e60aad 100644 (file)
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -789,6 +789,14 @@ sub init {
      %chartfields = @{$dbh->selectcol_arrayref(
          q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
  
+    if (!$user->is_timetracker) {
+        foreach my $tt_field (qw(estimated_time remaining_time work_time
+                                 actual_time percentage_complete deadline)) 
+        {
+            delete $chartfields{$tt_field};
+        }
+    }
+
      $row = 0;
      for ($chart=-1 ;
           $chart < 0 || $params->param("field$chart-0-0") ;
author	Max Kanat-Alexander <mkanat@bugzilla.org>
	Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)
committer	Max Kanat-Alexander <mkanat@bugzilla.org>
	Thu, 24 Jun 2010 17:09:26 +0000 (10:09 -0700)