Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access

r/a=LpSolit git-svn-id: svn://10.0.0.236/trunk@264768 18797224-902f-48f8-a5cc-f745e15eee43
2013-02-19 17:15:41 +00:00 · 2013-02-19 17:15:41 +00:00 · 0a81634be5
commit 0a81634be5
parent f7f5728a6a
5 changed files with 23 additions and 3 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@ -1 +1 @@
-8585
+8586
--- a/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm
@ -57,6 +57,14 @@ sub get_param_list {
   checker => \&check_group
  },
  
+  {
+   name => 'debug_group',
+   type => 's',
+   choices => \&_get_all_group_names,
+   default => 'admin',
+   checker => \&check_group
+  },
+  
  {
   name => 'usevisibilitygroups',
   type => 'b',
--- a/mozilla/webtools/bugzilla/buglist.cgi
+++ b/mozilla/webtools/bugzilla/buglist.cgi
@ -721,7 +721,10 @@ $::SIG{PIPE} = 'DEFAULT';
 my ($data, $extra_data) = $search->data;
 $vars->{'search_description'} = $search->search_description;

-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && $user->in_group(Bugzilla->params->{debug_group})
+) {
    $vars->{'debug'} = 1;
    $vars->{'queries'} = $extra_data;
    my $query_time = 0;
--- a/mozilla/webtools/bugzilla/report.cgi
+++ b/mozilla/webtools/bugzilla/report.cgi
@ -258,7 +258,13 @@ $vars->{'width'} = $width;
 $vars->{'height'} = $height;
 $vars->{'queries'} = $extra_data;
 $vars->{'saved_report_id'} = $cgi->param('saved_report_id');
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}

 if ($action eq "wrap") {
    # So which template are we using? If action is "wrap", we will be using
--- a/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl
@ -29,6 +29,9 @@
  querysharegroup => "The name of the group of users who can share their " _
                     "saved searches with others.",

+  debug_group => "The name of the group of users who can view the actual " _
+                 "SQL query generated when viewing $terms.bug lists and reports.",
+
  usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                         "specific groups?",