From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 18 Feb 2010 00:16:31 +0000 (+0100)
Subject: Bug 533018: "Confirm match" displays full email address to logged-out users in reques... 
X-Git-Tag: bugzilla-3.6rc1~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36e16eaf9a73b7548352a3b9b193133e25ced5ad;p=thirdparty%2Fbugzilla.git

Bug 533018: "Confirm match" displays full email address to logged-out users in request.cgi
r/a=mkanat
---

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index e0c5b132f9..b8d2aaa6f8 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1066,7 +1066,8 @@ sub match {
     # first try wildcards
     my $wildstr = $str;
 
-    if ($wildstr =~ s/\*/\%/g) { # don't do wildcards if no '*' in the string
+    # Do not do wildcards if there is no '*' in the string.
+    if ($wildstr =~ s/\*/\%/g && $user->id) {
         # Build the query.
         trick_taint($wildstr);
         my $query  = "SELECT DISTINCT userid FROM profiles ";
@@ -1101,7 +1102,7 @@ sub match {
     }
 
     # then try substring search
-    if (!scalar(@users) && length($str) >= 3) {
+    if (!scalar(@users) && length($str) >= 3 && $user->id) {
         trick_taint($str);
 
         my $query   = "SELECT DISTINCT userid FROM profiles ";
diff --git a/template/en/default/global/confirm-user-match.html.tmpl b/template/en/default/global/confirm-user-match.html.tmpl
index 40dccc6b57..67a901f0e3 100644
--- a/template/en/default/global/confirm-user-match.html.tmpl
+++ b/template/en/default/global/confirm-user-match.html.tmpl
@@ -57,7 +57,7 @@
 [% IF matchsuccess == 1 %]
   [% PROCESS global/header.html.tmpl title="Confirm Match" %]
 
-[% USE Bugzilla %]
+  [% USE Bugzilla %]
 
   <form method="post" 
   [% IF script -%]
@@ -86,9 +86,13 @@
   [% PROCESS global/header.html.tmpl title="Match Failed" %]
   <p>
     [% terms.Bugzilla %] was unable to make any match at all for one or more of
-    the names and/or email addresses you entered on the previous page.<br>
-    Please go back and try other names or email addresses.
+    the names and/or email addresses you entered on the previous page.
+    [% IF !user.id %]
+      <b>Note: You are currently logged out. Only exact matches against e-mail
+      addresses will be performed.</b>
+    [% END %]
   </p>
+  <p>Please go back and try other names or email addresses.</p>
 [% END %]
 
   <table border="0">