From 50fd93f3813f8d30ee05a45eb8e8e02c4770bc8b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@gmail.com>
Date: Wed, 4 Aug 2010 23:33:33 +0200
Subject: [PATCH] Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me
 query for users being in any given group r=mkanat a=LpSolit

---
 Bugzilla/Search.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm
index e9abe72e73..51f611ac55 100644
--- a/Bugzilla/Search.pm
+++ b/Bugzilla/Search.pm
@@ -1220,7 +1220,8 @@ sub _contact_exact_group {
     $$v =~ m/%group\\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{Bugzilla::Group->flatten_group_membership($groupid)};
     my $table = "user_group_map_$$chartid";
     push (@$supptables, "LEFT JOIN user_group_map AS $table " .
@@ -1292,7 +1293,8 @@ sub _cc_exact_group {
     $$v =~ m/%group\\.([^%]+)%/;
     my $group = $1;
     my $groupid = Bugzilla::Group::ValidateGroupName( $group, ($user));
-    $groupid || ThrowUserError('invalid_group_name',{name => $group});
+    ($groupid && $user->in_group_id($groupid))
+      || ThrowUserError('invalid_group_name',{name => $group});
     my @childgroups = @{Bugzilla::Group->flatten_group_membership($groupid)};
     my $chartseq = $$chartid;
     if ($$chartid eq "") {
-- 
2.47.2