From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 13 Nov 2012 17:37:32 +0000 (+0100)
Subject: Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using... 
X-Git-Tag: bugzilla-4.0.9~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a73288452c0670468cb1b1ec3cb9226abc7802e;p=thirdparty%2Fbugzilla.git

Bug 781850 (CVE-2012-4198): [SECURITY] Do not leak the existence of groups when using User.get()
r=dkl a=LpSolit
---

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index c1230e3aed..0c19acfe0e 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -156,6 +156,10 @@ use constant WS_ERROR_CODE => {
     attachment_url_disabled => 605,
     zero_length_file       => 606,
 
+    # Group errors are 800-900.
+    # Errors 800 - 803 are reserved for 4.2 and newer.
+    invalid_group_name => 804,
+
     # Errors thrown by the WebService itself. The ones that are negative 
     # conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php
     xmlrpc_invalid_value => -32600,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 8d3740952b..1d8c7f892c 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -234,12 +234,18 @@ sub _filter_users_by_group {
     # If no groups are specified, we return all users.
     return $users if (!$group_ids and !$group_names);
 
+    my $user = Bugzilla->user;
+
     my @groups = map { Bugzilla::Group->check({ id => $_ }) } 
                      @{ $group_ids || [] };
-    my @name_groups = map { Bugzilla::Group->check($_) } 
-                          @{ $group_names || [] };
-    push(@groups, @name_groups);
-    
+
+    if ($group_names) {
+        foreach my $name (@$group_names) {
+            my $group = Bugzilla::Group->check({ name => $name, _error => 'invalid_group_name' });
+            $user->in_group($group) || ThrowUserError('invalid_group_name', { name => $name });
+            push(@groups, $group);
+        }
+    }
 
     my @in_group = grep { $self->_user_in_any_group($_, \@groups) }
                         @$users;
@@ -587,10 +593,10 @@ C<real_name>, C<email>, and C<can_login> items.
 
 =over
 
-=item 51 (Bad Login Name or Group Name)
+=item 51 (Bad Login Name or Group ID)
 
 You passed an invalid login name in the "names" array or a bad
-group name/id in the C<groups>/C<group_ids> arguments.
+group ID in the C<group_ids> argument.
 
 =item 304 (Authorization Required)
 
@@ -602,6 +608,11 @@ wanted to get information about by user id.
 Logged-out users cannot use the "ids" or "match" arguments to this 
 function.
 
+=item 804 (Invalid Group Name)
+
+You passed a group name in the C<groups> argument which either does not
+exist or you do not belong to it.
+
 =back
 
 =item B<History>
@@ -615,6 +626,9 @@ function.
 =item C<include_disabled> added in Bugzilla B<4.0>. Default behavior 
 for C<match> has changed to only returning enabled accounts.
 
+=item Error 804 has been added in Bugzilla 4.0.9 and 4.2.4. It's now
+illegal to pass a group name you don't belong to.
+
 =back
 
 =back