From: jake%acutex.net <>
Date: Thu, 7 Jun 2001 01:36:25 +0000 (+0000)
Subject: Users should only be able to view attachments if they can view the bug that the file... 
X-Git-Tag: bugzilla-2.14~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce9c76ebbd1a699ce89cdead5f7ba427b62d9844;p=thirdparty%2Fbugzilla.git

Users should only be able to view attachments if they can view the bug that the file is attached to (bug 70189)
r=tara
---

diff --git a/showattachment.cgi b/showattachment.cgi
index 22cfa9087a..ae81117e51 100755
--- a/showattachment.cgi
+++ b/showattachment.cgi
@@ -19,6 +19,7 @@
 # Rights Reserved.
 #
 # Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Jacob Steenhagen <jake@acutex.net>
 
 use diagnostics;
 use strict;
@@ -27,17 +28,24 @@ require "CGI.pl";
 
 ConnectToDatabase();
 
-my @row;
-if (defined $::FORM{'attach_id'}) {
-    SendSQL("select mimetype, thedata from attachments where attach_id =".SqlQuote($::FORM{'attach_id'}));
-    @row = FetchSQLData();
+quietly_check_login();
+
+if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
+    DisplayError("Attachment ID should be numeric.");
+    exit;
 }
-if (!@row) {
-    print "Content-type: text/html\n\n";
-    PutHeader("Bad ID");
-    print "Please hit back and try again.\n";
+
+SendSQL("select bug_id, mimetype, thedata from attachments where attach_id = $::FORM{'attach_id'}");
+my ($bug_id, $mimetype, $thedata) = FetchSQLData();
+
+if (!$bug_id) {
+    DisplayError("Attachment $::FORM{attach_id} does not exist.");
     exit;
 }
-print qq{Content-type: $row[0]\n\n$row[1]};
+
+# Make sure the user can see the bug to which this file is attached
+ValidateBugID($bug_id);
+
+print qq{Content-type: $mimetype\n\n$thedata};