From: mkanat%bugzilla.org <> Date: Thu, 19 Nov 2009 02:12:01 +0000 (+0000) Subject: Bug 529416: (CVE-2009-3386) [SECURITY] Dependency lists display bug aliases even... X-Git-Tag: bugzilla-3.4.4~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58048d4dc497ee76fa9930b02897e4330884c843;p=thirdparty%2Fbugzilla.git Bug 529416: (CVE-2009-3386) [SECURITY] Dependency lists display bug aliases even for bugs the user cannot access Patch by Dave Miller r=LpSolit, a=mkanat --- diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 62ec148c72..615b60fabc 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -306,10 +306,6 @@ sub get_bug_link { FROM bugs WHERE bugs.bug_id = ?', undef, $bug_num); - if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug_alias) { - $link_text = $bug_alias; - } - if ($bug_state) { # Initialize these variables to be "" so that we don't get warnings # if we don't change them below (which is highly likely). @@ -327,6 +323,9 @@ sub get_bug_link { } if (Bugzilla->user->can_see_bug($bug_num)) { $title .= " - $bug_desc"; + if ($options->{use_alias} && $link_text =~ /^\d+$/ && $bug_alias) { + $link_text = $bug_alias; + } } # Prevent code injection in the title. $title = html_quote(clean_text($title));