From: mkanat%bugzilla.org <>
Date: Thu, 19 Nov 2009 02:09:45 +0000 (+0000)
Subject: Bug 529416: (CVE-2009-3386) [SECURITY] Dependency lists display bug aliases even... 
X-Git-Tag: bugzilla-3.5.2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b0e4cffe829d9c436ae28de218788c0534ee29;p=thirdparty%2Fbugzilla.git

Bug 529416: (CVE-2009-3386) [SECURITY] Dependency lists display bug aliases even for bugs the user cannot access
Patch by Dave Miller <justdave@bugzilla.org> r=LpSolit, r=mkanat, a=mkanat
---

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index ba0a035bbe..17429a2e2e 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -348,10 +348,6 @@ sub get_bug_link {
     $bug = blessed($bug) ? $bug : new Bugzilla::Bug($bug);
     return $link_text if $bug->{error};
     
-    if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug->alias) {
-        $link_text = $bug->alias;
-    }
-
     # Initialize these variables to be "" so that we don't get warnings
     # if we don't change them below (which is highly likely).
     my ($pre, $title, $post) = ("", "", "");
@@ -369,6 +365,9 @@ sub get_bug_link {
     }
     if (Bugzilla->user->can_see_bug($bug)) {
         $title .= " - " . $bug->short_desc;
+        if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug->alias) {
+            $link_text = $bug->alias;
+        }
     }
     # Prevent code injection in the title.
     $title = html_quote(clean_text($title));