From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 18 Feb 2010 00:13:43 +0000 (+0100)
Subject: Bug 533018: "Confirm match" displays full email address to logged-out users in reques... 
X-Git-Tag: bugzilla-3.7.1~243
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e044b55c14320849fec284fa5452e9385153ec4;p=thirdparty%2Fbugzilla.git

Bug 533018: "Confirm match" displays full email address to logged-out users in request.cgi
r/a=mkanat
---

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 240fcfcdb7..7dd86f3014 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1066,7 +1066,8 @@ sub match {
     # first try wildcards
     my $wildstr = $str;
 
-    if ($wildstr =~ s/\*/\%/g) { # don't do wildcards if no '*' in the string
+    # Do not do wildcards if there is no '*' in the string.
+    if ($wildstr =~ s/\*/\%/g && $user->id) {
         # Build the query.
         trick_taint($wildstr);
         my $query  = "SELECT DISTINCT userid FROM profiles ";
@@ -1101,7 +1102,7 @@ sub match {
     }
 
     # then try substring search
-    if (!scalar(@users) && length($str) >= 3) {
+    if (!scalar(@users) && length($str) >= 3 && $user->id) {
         trick_taint($str);
 
         my $query   = "SELECT DISTINCT userid FROM profiles ";
diff --git a/template/en/default/global/confirm-user-match.html.tmpl b/template/en/default/global/confirm-user-match.html.tmpl
index 40dccc6b57..67a901f0e3 100644
--- a/template/en/default/global/confirm-user-match.html.tmpl
+++ b/template/en/default/global/confirm-user-match.html.tmpl
@@ -57,7 +57,7 @@
 [% IF matchsuccess == 1 %]
   [% PROCESS global/header.html.tmpl title="Confirm Match" %]
 
-[% USE Bugzilla %]
+  [% USE Bugzilla %]
 
   <form method="post" 
   [% IF script -%]
@@ -86,9 +86,13 @@
   [% PROCESS global/header.html.tmpl title="Match Failed" %]
   <p>
     [% terms.Bugzilla %] was unable to make any match at all for one or more of
-    the names and/or email addresses you entered on the previous page.<br>
-    Please go back and try other names or email addresses.
+    the names and/or email addresses you entered on the previous page.
+    [% IF !user.id %]
+      <b>Note: You are currently logged out. Only exact matches against e-mail
+      addresses will be performed.</b>
+    [% END %]
   </p>
+  <p>Please go back and try other names or email addresses.</p>
 [% END %]
 
   <table border="0">