From: Simon Green <sgreen@redhat.com>
Date: Tue, 19 Feb 2013 17:17:48 +0000 (+0100)
Subject: Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of produ... 
X-Git-Tag: bugzilla-3.6.13~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41004372e35a6eb2f3b52536d9924ac6b0ff4fc4;p=thirdparty%2Fbugzilla.git

Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
r/a=LpSolit
---

diff --git a/Bugzilla/Config/GroupSecurity.pm b/Bugzilla/Config/GroupSecurity.pm
index f7f717379d..6296583d95 100644
--- a/Bugzilla/Config/GroupSecurity.pm
+++ b/Bugzilla/Config/GroupSecurity.pm
@@ -80,6 +80,14 @@ sub get_param_list {
    checker => \&check_group
   },
   
+  {
+   name => 'debug_group',
+   type => 's',
+   choices => \&_get_all_group_names,
+   default => 'admin',
+   checker => \&check_group
+  },
+  
   {
    name => 'usevisibilitygroups',
    type => 'b',
diff --git a/buglist.cgi b/buglist.cgi
index c1b620b76f..dabf2d52e8 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -867,7 +867,10 @@ elsif ($fulltext) {
 # Query Execution
 ################################################################################
 
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
     $vars->{'debug'} = 1;
     $vars->{'query'} = $query;
     # Explains are limited to admins because you could use them to figure
diff --git a/report.cgi b/report.cgi
index 18bed40a0d..cd9863de85 100755
--- a/report.cgi
+++ b/report.cgi
@@ -243,7 +243,13 @@ $vars->{'width'} = $width if $width;
 $vars->{'height'} = $height if $height;
 
 $vars->{'query'} = $query;
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}
 
 my $formatparam = $cgi->param('format');
 
diff --git a/template/en/default/admin/params/groupsecurity.html.tmpl b/template/en/default/admin/params/groupsecurity.html.tmpl
index ab39a91499..783099a11d 100644
--- a/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -42,6 +42,9 @@
   querysharegroup => "The name of the group of users who can share their " _
                      "saved searches with others.",
 
+  debug_group => "The name of the group of users who can view the actual " _
+                 "SQL query generated when viewing $terms.bug lists and reports.",
+
   usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                          "specific groups?",