From: lpsolit%gmail.com <>
Date: Sat, 1 Oct 2005 05:28:04 +0000 (+0000)
Subject: Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions... 
X-Git-Tag: bugzilla-2.20~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2a3d7a42271ffd58ebbe7bf75803e0c60efc71d;p=thirdparty%2Fbugzilla.git

Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave
---

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 3a3cace197..cfa3429206 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -713,10 +713,10 @@ sub match {
         if (&::Param('usevisibilitygroups')) {
             $query .= ", user_group_map";
         }
-        $query     .= " WHERE " .
+        $query     .= " WHERE (" .
                 $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" .
                       " OR " .
-                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0";
+                $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)";
         if (&::Param('usevisibilitygroups')) {
             $query .= " AND user_group_map.user_id = userid" .
                       " AND isbless = 0" .