From 05ce978a36901b53ee04b5d57ec7016b013ae4cc Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Wed, 21 Nov 2001 16:31:59 +0000 Subject: [PATCH] Fix for bug 102141: SECURITY FIX - the Product popup menu on the show_bug form listed all products, even if the user didn't have access to all of them. It now only shows products the user has access to (and the product the bug is in, if the user is viewing it because of some other override) Patch by George Hotelling and Dave Miller r= bbaetz, caillon --- bug_form.pl | 149 +++++++++++++++++++++++++++++----------------------- 1 file changed, 83 insertions(+), 66 deletions(-) diff --git a/bug_form.pl b/bug_form.pl index 67829d111c..3cf7a9b20d 100644 --- a/bug_form.pl +++ b/bug_form.pl @@ -38,7 +38,6 @@ sub bug_form_pl_sillyness { $zz = @::legal_keywords; $zz = @::legal_opsys; $zz = @::legal_platform; - $zz = @::legal_product; $zz = @::legal_priority; $zz = @::settable_resolution; $zz = @::legal_severity; @@ -65,13 +64,13 @@ select reporter, bug_file_loc, short_desc, - target_milestone, - qa_contact, - status_whiteboard, + target_milestone, + qa_contact, + status_whiteboard, date_format(creation_ts,'%Y-%m-%d %H:%i'), groupset, - delta_ts, - sum(votes.count) + delta_ts, + sum(votes.count) from bugs left join votes using(bug_id) where bugs.bug_id = $id group by bugs.bug_id"; @@ -126,7 +125,7 @@ my $sev_popup = make_options(\@::legal_severity, $bug{'bug_severity'}); my $component_popup = make_options($::components{$bug{'product'}}, - $bug{'component'}); + $bug{'component'}); my $ccSet = new RelationSet; $ccSet->mergeFromDB("select who from cc where bug_id=$id"); @@ -149,6 +148,49 @@ if (defined $URL && $URL ne "none" && $URL ne "NULL" && $URL ne "") { $URL = "URL:"; } +# +# Make a list of products the user has access to +# + +my (@prodlist, $product_popup); +foreach my $p (sort(keys %::versions)) { + if ($p eq $bug{'product'}) { + # if it's the product the bug is already in, it's ALWAYS in + # the popup, period, whether the user can see it or not, and + # regardless of the disallownew setting. + push(@prodlist, $p); + next; + } + if (defined $::proddesc{$p} && $::proddesc{$p} eq '0') { + # Special hack. If we stuffed a "0" into proddesc, that means + # that disallownew was set for this bug, and so we don't want + # to allow people to specify that product here. + next; + } + if(Param("usebuggroupsentry") + && GroupExists($p) + && !UserInGroup($p)) + { + # If we're using bug groups to restrict entry on products, and + # this product has a bug group, and the user is not in that + # group, we don't want to include that product in this list. + next; + } + push(@prodlist, $p); +} + +# If the user has access to multiple products, display a popup, otherwise +# display the current product. + +if (1 < @prodlist) { + $product_popup = ""; +} +else { + $product_popup = $bug{'product'}; +} + print " @@ -162,9 +204,7 @@ print " Reporter:$bug{'reporter'} Product: - + $product_popup   OS:
"; -if ($::usergroupset ne '0' || $bug{'groupset'} ne '0') { - SendSQL("select bit, name, description, (bit & $bug{'groupset'} != 0), " . - "(bit & $::usergroupset != 0) from groups where isbuggroup != 0 " . +if ($::usergroupset ne '0') { + SendSQL("select bit, name, description, (bit & $bug{'groupset'} != 0) " . + "from groups where bit & $::usergroupset != 0 " . + "and isbuggroup != 0 " . # Include active groups as well as inactive groups to which # the bug already belongs. This way the bug can be removed # from an inactive group but can only be added to active ones. - "and ((isactive = 1 and (bit & $::usergroupset != 0)) or " . - "(bit & $bug{'groupset'} != 0)) " . - "order by description"); + "and (isactive = 1 or (bit & $bug{'groupset'} != 0)) " . + "order by description"); # We only print out a header bit for this section if there are any # results. my $groupFound = 0; - my $inAllGroups = 1; while (MoreSQLData()) { - my ($bit, $name, $description, $ison, $ingroup) = (FetchSQLData()); + my ($bit, $name, $description, $ison) = (FetchSQLData()); # For product groups, we only want to display the checkbox if either # (1) The bit is already set, or - # (2) The user is in the group, but either: - # (a) The group is a product group for the current product, or - # (b) The group name isn't a product name - # This measns that all product groups will be skipped, but non-product - # bug groups will still be displayed. - if($ison || ($ingroup && (($name eq $bug{'product'}) || - (!defined $::proddesc{$name})))) { + # (2) It's the group for this product. + # All other product groups will be skipped. Non-product bug groups + # will still be displayed. + if($ison || ($name eq $bug{'product'}) || (!defined $::proddesc{$name})) { if(!$groupFound) { print "
Only users in the selected groups can view this bug:
\n"; - print "(Unchecking all boxes makes this a public bug.)

\n"; + print "(Leave all boxes unchecked to make this a public bug.)

\n"; $groupFound = 1; } - if(!$ingroup) { - $inAllGroups = 0; - } # Modifying this to use checkboxes instead my $checked = $ison ? " CHECKED" : ""; - my $disabled = $ingroup ? "" : " DISABLED=\"disabled\""; # indent these a bit print "    "; - print "\n"; + print "\n"; print "$description
\n"; } } - if (!$inAllGroups) { - print "Only members of a group can change the visibility of a bug for that group
"; - } # If the bug is restricted to a group, display checkboxes that allow # the user to set whether or not the reporter, assignee, QA contact, @@ -471,7 +488,7 @@ if ($status eq $::unconfirmedstate) { $canconfirm = UserInGroup("canconfirm") || ($::userid == 0); if ($canedit || $canconfirm) { print ""; - print "Confirm bug (change status to NEW)
"; + print "Confirm bug (change status to NEW)
"; $knum++; } } @@ -508,9 +525,9 @@ if ($canedit || $::userid == $assignedtoid || $knum++; print " Resolve bug, mark it as duplicate of bug # -
\n"; +
\n"; $knum++; - my $assign_element = ""; + my $assign_element = ""; print " Reassign bug to @@ -580,11 +597,11 @@ if ( Param("move-enabled") && (defined $::COOKIE{"Bugzilla_login"}) && ($::COOKI print "
"; -print qq| - +print " +
Description:
Description: Opened: $bug{'creation_ts'}
-|; +"; print $bug{'long_desc'}; print "
\n"; -- 2.47.2