From 0a81634be5569768c6c8bd7431ccfe1f63f8d6dd Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org"
 <mkanat%bugzilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Tue, 19 Feb 2013 17:15:41 +0000
Subject: [PATCH] Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect()
 leaks the existence of products and components you cannot access r/a=LpSolit

git-svn-id: svn://10.0.0.236/trunk@264768 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/webtools/bugzilla/.bzrrev                         | 2 +-
 .../webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm    | 8 ++++++++
 mozilla/webtools/bugzilla/buglist.cgi                     | 5 ++++-
 mozilla/webtools/bugzilla/report.cgi                      | 8 +++++++-
 .../en/default/admin/params/groupsecurity.html.tmpl       | 3 +++
 5 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev
index ab6c187b9a2..727f0f64427 100644
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-8585
\ No newline at end of file
+8586
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm b/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm
index d5f02f42dad..d57573de332 100644
--- a/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Config/GroupSecurity.pm
@@ -57,6 +57,14 @@ sub get_param_list {
    checker => \&check_group
   },
   
+  {
+   name => 'debug_group',
+   type => 's',
+   choices => \&_get_all_group_names,
+   default => 'admin',
+   checker => \&check_group
+  },
+  
   {
    name => 'usevisibilitygroups',
    type => 'b',
diff --git a/mozilla/webtools/bugzilla/buglist.cgi b/mozilla/webtools/bugzilla/buglist.cgi
index 625b7eab863..97654cdf254 100755
--- a/mozilla/webtools/bugzilla/buglist.cgi
+++ b/mozilla/webtools/bugzilla/buglist.cgi
@@ -721,7 +721,10 @@ $::SIG{PIPE} = 'DEFAULT';
 my ($data, $extra_data) = $search->data;
 $vars->{'search_description'} = $search->search_description;
 
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && $user->in_group(Bugzilla->params->{debug_group})
+) {
     $vars->{'debug'} = 1;
     $vars->{'queries'} = $extra_data;
     my $query_time = 0;
diff --git a/mozilla/webtools/bugzilla/report.cgi b/mozilla/webtools/bugzilla/report.cgi
index 2949a18c32a..5e51bd34a6b 100755
--- a/mozilla/webtools/bugzilla/report.cgi
+++ b/mozilla/webtools/bugzilla/report.cgi
@@ -258,7 +258,13 @@ $vars->{'width'} = $width;
 $vars->{'height'} = $height;
 $vars->{'queries'} = $extra_data;
 $vars->{'saved_report_id'} = $cgi->param('saved_report_id');
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}
 
 if ($action eq "wrap") {
     # So which template are we using? If action is "wrap", we will be using
diff --git a/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl b/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl
index 86cbedcf819..7e30f072382 100644
--- a/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -29,6 +29,9 @@
   querysharegroup => "The name of the group of users who can share their " _
                      "saved searches with others.",
 
+  debug_group => "The name of the group of users who can view the actual " _
+                 "SQL query generated when viewing $terms.bug lists and reports.",
+
   usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                          "specific groups?",