From: justdave%bugzilla.org <> Date: Mon, 25 Oct 2004 14:33:20 +0000 (+0000) Subject: [SECURITY] Bug 253544: Changes to the metadata (filename, description, mime type... X-Git-Tag: bugzilla-2.19.1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22628e0ab83b78056beed1663af9bf14071a97fc;p=thirdparty%2Fbugzilla.git [SECURITY] Bug 253544: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when viewing the bug activity log. This only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin r=zach,justdave, a=justdave --- diff --git a/CGI.pl b/CGI.pl index 4f5b79f72f..4560228081 100644 --- a/CGI.pl +++ b/CGI.pl @@ -315,7 +315,13 @@ sub GetBugActivity { if (defined $starttime) { $datepart = "and bugs_activity.bug_when > " . SqlQuote($starttime); } - + my $suppjoins = ""; + my $suppwhere = ""; + if (Param("insidergroup") && !UserInGroup(Param('insidergroup'))) { + $suppjoins = "LEFT JOIN attachments + ON attachments.attach_id = bugs_activity.attach_id"; + $suppwhere = "AND NOT(COALESCE(attachments.isprivate,0))"; + } my $query = " SELECT COALESCE(fielddefs.description, bugs_activity.fieldid), fielddefs.name, @@ -323,11 +329,11 @@ sub GetBugActivity { DATE_FORMAT(bugs_activity.bug_when,'%Y.%m.%d %H:%i'), bugs_activity.removed, bugs_activity.added, profiles.login_name - FROM bugs_activity LEFT JOIN fielddefs ON + FROM bugs_activity $suppjoins LEFT JOIN fielddefs ON bugs_activity.fieldid = fielddefs.fieldid, profiles WHERE bugs_activity.bug_id = $id $datepart - AND profiles.userid = bugs_activity.who + AND profiles.userid = bugs_activity.who $suppwhere ORDER BY bugs_activity.bug_when"; SendSQL($query);