From fdcd6dc09562344a30dde742f3d739c8ba03c65b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@gmail.com>
Date: Thu, 4 Aug 2011 22:13:15 +0200
Subject: [PATCH] Bug 653477: (CVE-2011-2380) [SECURITY] Group names can be
 guessed when creating or editing a bug r=dkl a=LpSolit

---
 Bugzilla/Bug.pm                                 | 2 +-
 template/en/default/global/code-error.html.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 3cd5a38224..a9b52f45c8 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -1403,7 +1403,7 @@ sub _check_groups {
             || ThrowUserError("invalid_group_ID");
 
         # This can only happen if somebody hacked the enter_bug form.
-        ThrowCodeError("inactive_group", { name => $group->name })
+        ThrowCodeError("inactive_group", { group_id => $id })
             unless $group->is_active;
 
         my $membercontrol = $controls->{$id}
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index b09f71a350..e70f5b2a67 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -217,8 +217,8 @@
     A legal [% field FILTER html %] was not set.
 
   [% ELSIF error == "inactive_group" %]
-    Attempted to add [% terms.bug %] to the '[% name FILTER html %]'
-    group, which is not used for [% terms.bugs %].
+    Attempted to add [% terms.abug %] to group ID [% group_id FILTER html %],
+    which is not used for [% terms.bugs %].
 
   [% ELSIF error == "invalid_attach_id_to_obsolete" %]
      The attachment number of one of the attachments you wanted to obsolete,
-- 
2.47.2