From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 4 Aug 2010 21:29:18 +0000 (+0200)
Subject: Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being... 
X-Git-Tag: bugzilla-3.7.3~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cd5510dc61504b32bb847077d3335deb3178681;p=thirdparty%2Fbugzilla.git

Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being in any given group
r=mkanat a=LpSolit
---

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index f93743e2a2..42e73f7705 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1459,7 +1459,8 @@ sub _contact_exact_group {
     $$v =~ /\%group\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{Bugzilla::Group->flatten_group_membership($groupid)};
     my $table = "user_group_map_$$chartid";
     push (@$supptables, "LEFT JOIN user_group_map AS $table " .
@@ -1525,7 +1526,8 @@ sub _cc_exact_group {
     $$v =~ m/%group\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{Bugzilla::Group->flatten_group_membership($groupid)};
     my $chartseq = $$chartid;
     if ($$chartid eq "") {