From: justdave%syndicomm.com <> Date: Mon, 3 Nov 2003 11:50:40 +0000 (+0000) Subject: [SECURITY] Bug 219690: When deleting products and the 'usebuggroups' parameter is... X-Git-Tag: bugzilla-2.16.4~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7257e4adf8858aef520867ce59186457bfd8f364;p=thirdparty%2Fbugzilla.git [SECURITY] Bug 219690: When deleting products and the 'usebuggroups' parameter is on, the privilege which allows someone to add people to the group which is being deleted does not get removed, allowing people with that privilege to get that privilege for the next group that is created which reuses that group ID. Note that this only allows someone who had been granted privileges in the past to retain them. Patch by Stefan Mayr r= justdave, joel a= justdave --- diff --git a/editproducts.cgi b/editproducts.cgi index 8ef01ebe15..4c1bb5a8c7 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -686,8 +686,9 @@ if ($action eq 'delete') { # I'm merely checking to make sure that the groupset is not # the superuser groupset in doing this update... SendSQL("UPDATE profiles " . - "SET groupset = groupset - $bit " . - "WHERE (groupset & $bit) " . + "SET groupset = (groupset | $bit) - $bit, " . + "blessgroupset = (blessgroupset | $bit) - $bit " . + "WHERE ((groupset & $bit) or (blessgroupset & $bit)) " . "AND (groupset != $::superusergroupset)"); print "Users dropped from group '$group_desc'.
\n";