From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Thu, 24 Jun 2010 17:06:25 +0000 (-0700)
Subject: Bug 309952: (CVE-2010-1204) [SECURITY] Make boolean chart searches with time
X-Git-Tag: bugzilla-3.7.1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14944e84b4dd1eeb9cbd48962f3cde2d7b15c630;p=thirdparty%2Fbugzilla.git

Bug 309952: (CVE-2010-1204) [SECURITY] Make boolean chart searches with time
tracking fields no longer work for everybody
r=LpSolit, a=mkanat
---

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index a764babe43..24adf00948 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -870,6 +870,12 @@ sub init {
     my %chartfields = @{$dbh->selectcol_arrayref(
         q{SELECT name, id FROM fielddefs}, { Columns=>[1,2] })};
 
+    if (!$user->is_timetracker) {
+        foreach my $tt_field (TIMETRACKING_FIELDS) {
+            delete $chartfields{$tt_field};
+        }
+    }
+
     my ($sequence, $chartid);
     $row = 0;
     for ($chart=-1 ;