From: justdave%bugzilla.org <> Date: Mon, 25 Oct 2004 14:26:56 +0000 (+0000) Subject: [SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and attachment... X-Git-Tag: bugzilla-2.18rc3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94e24e843560c61d1ab7131444053d230e92fd14;p=thirdparty%2Fbugzilla.git [SECURITY] Bug 263780: Exporting a bug to XML exposes user comments and attachment summaries which are marked as private to users who are not members of the group allowed to see private comments and attachments. XML export is not exposed in the user interface, but is available to anyone who knows the correct URL to invoke it. This only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin r=vladd,justdave, a=justdave --- diff --git a/show_bug.cgi b/show_bug.cgi index 7a568e3f54..2eb42d3c1a 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -100,6 +100,10 @@ if ($cgi->param("field")) { @fieldlist = $cgi->param("field"); } +unless (UserInGroup(Param("timetrackinggroup"))) { + @fieldlist = grep($_ !~ /_time$/, @fieldlist); +} + foreach (@fieldlist) { $displayfields{$_} = 1; } diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl index 45ef1712a8..34219c2080 100644 --- a/template/en/default/bug/show.xml.tmpl +++ b/template/en/default/bug/show.xml.tmpl @@ -53,6 +53,7 @@ [% IF displayfields.long_desc %] [% FOREACH c = bug.longdescs %] + [% NEXT IF c.isprivate && !UserInGroup(Param("insidergroup")) %] [% c.email FILTER xml %] [% c.time FILTER time FILTER xml %] @@ -63,6 +64,7 @@ [% IF displayfields.attachment %] [% FOREACH a = bug.attachments %] + [% NEXT IF a.isprivate && !UserInGroup(Param("insidergroup")) %] [% a.attachid %] [% a.date FILTER time FILTER xml %]