From: justdave%syndicomm.com <>
Date: Mon, 3 Nov 2003 11:39:43 +0000 (+0000)
Subject: [SECURITY] Bug 209376: If you know the email address of someone who has voted on... 
X-Git-Tag: bugzilla-2.16.4~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=915041acc095f839a59127b936392bdd46b95da8;p=thirdparty%2Fbugzilla.git

[SECURITY] Bug 209376: If you know the email address of someone who has voted on a secure bug, you can access the summary of that bug even if you do not have sufficient permissions to view the bug itself.
Patch by Gervase Markham <gerv@mozilla.org>
r= justdave, bbaetz  a= justdave
---

diff --git a/votes.cgi b/votes.cgi
index 7a387e0e16..f77e1efc8e 100755
--- a/votes.cgi
+++ b/votes.cgi
@@ -135,7 +135,7 @@ sub show_user {
     
     my $canedit = 1 if ($name eq $::COOKIE{'Bugzilla_login'});
     
-    SendSQL("LOCK TABLES bugs READ, products READ, votes WRITE,
+    SendSQL("LOCK TABLES bugs READ, products READ, profiles READ, votes WRITE,
              cc AS selectVisible_cc READ");
     
     if ($canedit && $bug_id) {
@@ -188,7 +188,9 @@ sub show_user {
             # and they can see there are votes 'missing', but not on what bug
             # they are. This seems a reasonable compromise; the alternative is
             # to lie in the totals.
-            next if !CanSeeBug($id, $who, $usergroupset);            
+            next if !CanSeeBug($id, 
+                               DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}),
+                               $usergroupset);            
             
             push (@bugs, { id => $id, 
                            summary => $summary,