From: mkanat%kerio.com <>
Date: Wed, 30 Mar 2005 22:35:55 +0000 (+0000)
Subject: Bug 287880: [SECURITY] Comments on secure bugs still available to templates... show_b... 
X-Git-Tag: bugzilla-2.18.1~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d931b7799b4538f46da439c6840504962169a86;p=thirdparty%2Fbugzilla.git

Bug 287880: [SECURITY] Comments on secure bugs still available to templates... show_bug leaks
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=justdave, a=justdave
---

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index a87338d25e..ba66ae5744 100755
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -265,12 +265,18 @@ sub initBug  {
   return $self;
 }
 
+# Note: If you add a new method, remember that you must check the error
+# state of the bug before returning any data. If $self->{error} is
+# defined, then return something empty. Otherwise you risk potential
+# security holes.
+
 sub dup_id {
     my ($self) = @_;
-
     return $self->{'dup_id'} if exists $self->{'dup_id'};
 
     $self->{'dup_id'} = undef;
+    return if $self->{'error'};
+
     if ($self->{'resolution'} eq 'DUPLICATE') { 
         my $dbh = Bugzilla->dbh;
         $self->{'dup_id'} =
@@ -288,7 +294,7 @@ sub actual_time {
 
     return $self->{'actual_time'} if exists $self->{'actual_time'};
 
-    return undef unless (Bugzilla->user && 
+    return undef unless (!$self->{'error'} && Bugzilla->user && 
                          Bugzilla->user->in_group(Param("timetrackinggroup")));
 
     my $sth = Bugzilla->dbh->prepare("SELECT SUM(work_time)
@@ -301,11 +307,9 @@ sub actual_time {
 
 sub longdescs {
     my ($self) = @_;
-
     return $self->{'longdescs'} if exists $self->{'longdescs'};
-
+    return [] if $self->{'error'};
     $self->{'longdescs'} = &::GetComments($self->{bug_id});
-
     return $self->{'longdescs'};
 }
 
@@ -315,6 +319,7 @@ sub use_keywords {
 
 sub use_votes {
     my ($self) = @_;
+    return 0 if $self->{'error'};
 
     return Param('usevotes')
       && $::prodmaxvotes{$self->{product}} > 0;
@@ -322,8 +327,8 @@ sub use_votes {
 
 sub groups {
     my $self = shift;
-
     return $self->{'groups'} if exists $self->{'groups'};
+    return [] if $self->{'error'};
 
     my @groups;
 
@@ -387,6 +392,7 @@ sub groups {
 sub user {
     my $self = shift;
     return $self->{'user'} if exists $self->{'user'};
+    return {} if $self->{'error'};
 
     $self->{'user'} = {};
 
@@ -420,6 +426,7 @@ sub user {
 sub choices {
     my $self = shift;
     return $self->{'choices'} if exists $self->{'choices'};
+    return {} if $self->{'error'};
 
     &::GetVersionTable();