From: lpsolit%gmail.com <>
Date: Sat, 1 Oct 2005 05:20:01 +0000 (+0000)
Subject: Bug 308256: [SECURITY] config.cgi doesn't check Param('requirelogin') - Patch by... 
X-Git-Tag: bugzilla-2.20~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9e45d668656884765ecd71327bd29a7633a2c1b;p=thirdparty%2Fbugzilla.git

Bug 308256: [SECURITY] config.cgi doesn't check Param('requirelogin') - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=justdave
---

diff --git a/config.cgi b/config.cgi
index 1306c0b668..48ab1b31bc 100755
--- a/config.cgi
+++ b/config.cgi
@@ -32,9 +32,8 @@ use strict;
 # Include the Bugzilla CGI and general utility library.
 use lib qw(.);
 require "CGI.pl";
-
-# Retrieve this installation's configuration.
-GetVersionTable();
+use Bugzilla;
+use Bugzilla::Constants;
 
 # Suppress "used only once" warnings.
 use vars 
@@ -55,6 +54,17 @@ use vars
 # to generate the output.
 use vars qw($template $vars);
 
+Bugzilla->login(LOGIN_OPTIONAL);
+
+# If the 'requirelogin' parameter is on and the user is not
+# authenticated, return empty fields.
+if (Param('requirelogin') && !Bugzilla->user->id) {
+    display_data();
+}
+
+# Retrieve this installation's configuration.
+GetVersionTable();
+
 # Pass a bunch of Bugzilla configuration to the templates.
 $vars->{'priority'}  = \@::legal_priority;
 $vars->{'severity'}  = \@::legal_severity;
@@ -84,15 +94,23 @@ $vars->{'closed_status'} = \@closed_status;
 # Generate a list of fields that can be queried.
 $vars->{'field'} = [Bugzilla->dbh->bz_get_field_defs()];
 
-# Determine how the user would like to receive the output; 
-# default is JavaScript.
-my $cgi = Bugzilla->cgi;
-my $format = GetFormat("config", scalar($cgi->param('format')),
-                       scalar($cgi->param('ctype')) || "js");
+display_data($vars);
+
 
-# Return HTTP headers.
-print "Content-Type: $format->{'ctype'}\n\n";
+sub display_data {
+    my $vars = shift;
 
-# Generate the configuration file and return it to the user.
-$template->process($format->{'template'}, $vars)
-  || ThrowTemplateError($template->error());
+    my $cgi = Bugzilla->cgi;
+    # Determine how the user would like to receive the output; 
+    # default is JavaScript.
+    my $format = GetFormat("config", scalar($cgi->param('format')),
+                           scalar($cgi->param('ctype')) || "js");
+
+    # Return HTTP headers.
+    print "Content-Type: $format->{'ctype'}\n\n";
+
+    # Generate the configuration file and return it to the user.
+    $template->process($format->{'template'}, $vars)
+      || ThrowTemplateError($template->error());
+    exit;
+}