From f8e5a718a0855e5ad6160828c66c7aa154d6b67c Mon Sep 17 00:00:00 2001
From: "justdave%bugzilla.org" <>
Date: Mon, 25 Oct 2004 14:37:01 +0000
Subject: [PATCH] [SECURITY] Bug 250605: Changes to the metadata (filename,
 description, mime type, review flags) on attachments which were flagged as
 private get displayed to users who are not members of the group allowed to
 see private attachments when receiving bug change notification mails.  This
 only affects sites that use the 'insidergroup' feature. Patch by Joel Peshkin
 <bugreport@peshkin.net> r=kiko,justdave, a=justdave

---
 Bugzilla/BugMail.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Bugzilla/BugMail.pm b/Bugzilla/BugMail.pm
index 40a40dc2be..9299707814 100644
--- a/Bugzilla/BugMail.pm
+++ b/Bugzilla/BugMail.pm
@@ -238,6 +238,11 @@ sub ProcessOneBug($) {
             $old = FormatTimeUnit($old);
             $new = FormatTimeUnit($new);
         }
+        if ($attachid) {
+            SendSQL("SELECT isprivate FROM attachments 
+                     WHERE attach_id = $attachid");
+            $diffpart->{'isprivate'} = FetchOneColumn();
+        }
         $difftext = FormatTriple($what, $old, $new);
         $diffpart->{'header'} = $diffheader;
         $diffpart->{'fieldname'} = $fieldname;
@@ -772,6 +777,11 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
             if ($user->groups->{Param("timetrackinggroup")}) {
                 $add_diff = 1;
             }
+        } elsif (($diff->{'isprivate'}) 
+                 && Param('insidergroup')
+                 && !($user->groups->{Param('insidergroup')})
+                ) {
+            $add_diff = 0;
         } else {
             $add_diff = 1;
         }
-- 
2.47.2