From: Frédéric Buclin Date: Tue, 13 Nov 2012 17:25:25 +0000 (+0100) Subject: Bug 802204 (CVE-2012-4197): [SECURITY] Marking an attachment you cannot see as obsole... X-Git-Tag: bugzilla-3.6.12~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a99b3450a807c16094494f93adf0e97afa09c18;p=thirdparty%2Fbugzilla.git Bug 802204 (CVE-2012-4197): [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description r=gerv a=LpSolit --- diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index d6037b3e79..fb3725aff1 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -771,11 +771,8 @@ sub validate_obsolete { $attachment->validate_can_edit($bug->product_id) || ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); - $vars->{'description'} = $attachment->description; - if ($attachment->bug_id != $bug->bug_id) { $vars->{'my_bug_id'} = $bug->bug_id; - $vars->{'attach_bug_id'} = $attachment->bug_id; ThrowCodeError('mismatched_bug_ids_on_obsolete', $vars); } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 3db03fca4a..bee2da1a7e 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -256,8 +256,7 @@ setting in [% constants.bz_locations.localconfig FILTER html %]. [% ELSIF error == "mismatched_bug_ids_on_obsolete" %] - Attachment [% attach_id FILTER html %] ([% description FILTER html %]) - is attached to [% terms.bug %] [%+ attach_bug_id FILTER html %], + Attachment [% attach_id FILTER html %] is attached to another [% terms.bug %], but you tried to flag it as obsolete while creating a new attachment to [% terms.bug %] [%+ my_bug_id FILTER html %].