Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users being in any given group

r=mkanat a=LpSolit


git-svn-id: svn://10.0.0.236/trunk@260972 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/webtools/bugzilla/.bzrrev

@@ -1 +1 @@
-7427
+7428

mozilla/webtools/bugzilla/Bugzilla/Search.pm

@@ -1856,10 +1856,14 @@ sub _contact_exact_group {
     my ($value, $operator, $field, $chart_id, $joins) =
         @$args{qw(value operator field chart_id joins)};
     my $dbh = Bugzilla->dbh;
+    my $user = $self->_user;
     
     $value =~ /\%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $group_ids = Bugzilla::Group->flatten_group_membership($group->id);
     my $table = "user_group_map_$chart_id";
     my $join = {
@@ -1904,6 +1908,9 @@ sub _cc_exact_group {
     $value =~ m/%group\.([^%]+)%/;
     my $group = Bugzilla::Group->check($1);
     $group->check_members_are_visible();
+    $user->in_group($group)
+      || ThrowUserError('invalid_group_name', {name => $group->name});
+
     my $all_groups = Bugzilla::Group->flatten_group_membership($group->id);
 
     # This is for the email1, email2, email3 fields from query.cgi.