Closed Bug 39526 Opened 25 years ago Closed 24 years ago

show_activity.cgi doesn't check viewing permissions

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
Other
Other
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: jruderman, Assigned: myk)

References

(
URL
)

Details

(Whiteboard: security)

Attachments

(3 files)

patch to validate bug ID and check permissions to view bug
2.79 KB, patch
Details | Diff | Splinter Review
patch that abstracts out bug ID validation
3.72 KB, patch
Details | Diff | Splinter Review
patch w/o CGI.pl for installations that have already installed the patch for bug 39524
1.69 KB, patch
Details | Diff | Splinter Review
Blocks: 66091
Whiteboard: 2.14
Whiteboard: 2.14 → 2.14, security
moving to real milestones...
Whiteboard: 2.14, security → security
Target Milestone: --- → Bugzilla 2.14
This second patch puts most of the validation code into a separate function in CGI.pl so it can be used by other scripts that need to do bug ID validation (like bug 39524, bug 39527, etc.).
Assignee: tara → myk
Keywords: patch
The check for the user belonging to the product group is unnecessary. That's included in the groupset on the bug itself. It is possible to clear the product group bit on a bug that's in a product that has a group, and this would prevent people from seeing it then.
accepting
Status: NEW → ASSIGNED
Adding "review" keyword to get these on the radars of reviewers (if they aren't already).
Keywords: review
r=jake Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
*** Bug 94476 has been marked as a duplicate of this bug. ***
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: