[Pkg-bugzilla-commits] r97 - in trunk/bugzilla-2.16.7: . debian
Alexis Sukrieh
sukria-guest@costa.debian.org
Thu, 19 May 2005 14:49:06 +0000
Author: sukria-guest
Date: 2005-05-19 14:49:03 +0000 (Thu, 19 May 2005)
New Revision: 97
Modified:
trunk/bugzilla-2.16.7/debian/changelog
trunk/bugzilla-2.16.7/enter_bug.cgi
trunk/bugzilla-2.16.7/globals.pl
trunk/bugzilla-2.16.7/post_bug.cgi
trunk/bugzilla-2.16.7/process_bug.cgi
Log:
bugzilla (2.16.7-7) unstable; urgency=low
* Applied upstream security patch (backport from the upstream 2.16.10
release) for closing CAN-2005-1564 and CAN-2005-1563 (bugzilla's
bugs #287109, #294655)
(closes: #308787)
Modified: trunk/bugzilla-2.16.7/debian/changelog
===================================================================
--- trunk/bugzilla-2.16.7/debian/changelog 2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/debian/changelog 2005-05-19 14:49:03 UTC (rev 97)
@@ -1,3 +1,12 @@
+bugzilla (2.16.7-7) unstable; urgency=low
+
+ * Applied upstream security patch (backport from the upstream 2.16.10
+ release) for closing CAN-2005-1564 and CAN-2005-1563 (bugzilla's
+ bugs #287109, #294655)
+ (closes: #308787)
+
+ -- Alexis Sukrieh <sukria@sukria.net> Thu, 19 May 2005 16:46:56 +0200
+
bugzilla (2.16.7-6) unstable; urgency=low
* Added a "checkpo" target in debian/rules for checking the debian/po files.
Modified: trunk/bugzilla-2.16.7/enter_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/enter_bug.cgi 2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/enter_bug.cgi 2005-05-19 14:49:03 UTC (rev 97)
@@ -224,38 +224,11 @@
# If the usebuggroupsentry parameter is set, we need to check and make sure
# that the user has permission to enter a bug against this product.
-if(Param("usebuggroupsentry")
- && GroupExists($product)
- && !UserInGroup($product))
-{
- DisplayError("Sorry; you do not have the permissions necessary to " .
- "enter a bug against this product.\n");
- exit;
-}
+CanEnterProductOrWarn($product);
GetVersionTable();
-if (lsearch(\@::enterable_products, $product) == -1) {
- DisplayError("'" . html_quote($product) . "' is not a valid product.");
- exit;
-}
-
-if (0 == @{$::components{$product}}) {
- my $error = "Sorry; there needs to be at least one component for this " .
- "product in order to create a new bug. ";
- if (UserInGroup('editcomponents')) {
- $error .= "<a href=\"editcomponents.cgi\">" .
- "Create a new component</a>\n";
- }
- else {
- $error .= "Please contact " . Param("maintainer") . ", detailing " .
- "the product in which you tried to create a new bug.\n";
- }
-
- DisplayError($error);
- exit;
-}
-elsif (1 == @{$::components{$product}}) {
+if (1 == @{$::components{$product}}) {
# Only one component; just pick it.
$::FORM{'component'} = $::components{$product}->[0];
}
Modified: trunk/bugzilla-2.16.7/globals.pl
===================================================================
--- trunk/bugzilla-2.16.7/globals.pl 2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/globals.pl 2005-05-19 14:49:03 UTC (rev 97)
@@ -849,6 +849,56 @@
return $ret;
}
+sub CanEnterProductOrWarn {
+ # Determines whether or not a user can enter bugs into the product.
+ my ($productname) = @_;
+
+ SendSQL("SELECT product FROM products WHERE product = " .
+ SqlQuote($productname));
+
+ my $product_exists = (defined(FetchOneColumn())) ? 1 : 0;
+
+ if (!$product_exists
+ || (Param("usebuggroupsentry")
+ && GroupExists($productname)
+ && !UserInGroup($productname)))
+ {
+ DisplayError("Sorry, either this product does not exist, or you
+ don't have the required permissions to enter a bug
+ against that product.", "Permission Denied");
+ exit;
+ }
+
+ SendSQL("SELECT CASE WHEN disallownew = 0 THEN 1 ELSE 0 END
+ FROM products INNER JOIN components
+ ON components.program = products.product
+ WHERE products.product = " . SqlQuote($productname) . " LIMIT 1");
+
+ my $status = FetchOneColumn();
+
+ # Return 1 if the user can enter bugs into that product;
+ # return 0 if the product is closed for new bug entry;
+ # return undef if the product has no component.
+
+ if (!defined($status)) {
+ my $error = "Sorry; there needs to be at least one component for this " .
+ "product in order to create a new bug. ";
+ if (UserInGroup('editcomponents')) {
+ $error .= "<a href=\"editcomponents.cgi\">Create a new component</a>\n";
+ }
+ else {
+ $error .= "Please contact " . Param("maintainer") . ", detailing " .
+ "the product in which you tried to create a new bug.\n";
+ }
+ DisplayError($error);
+ exit;
+ } elsif (!$status) {
+ DisplayError("Sorry, entering bugs into this product has been disabled.");
+ exit;
+ }
+ return $status;
+}
+
sub ValidatePassword {
# Determines whether or not a password is valid (i.e. meets Bugzilla's
# requirements for length and content). If the password is valid, the
Modified: trunk/bugzilla-2.16.7/post_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/post_bug.cgi 2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/post_bug.cgi 2005-05-19 14:49:03 UTC (rev 97)
@@ -92,13 +92,7 @@
umask 0;
# Some sanity checking
-if(Param("usebuggroupsentry") && GroupExists($product)) {
- if(!UserInGroup($product)) {
- DisplayError("Sorry; you do not have the permissions necessary to enter
- a bug against this product.", "Permission Denied");
- exit;
- }
-}
+CanEnterProductOrWarn($product);
if (!$::FORM{'component'}) {
DisplayError("You must choose a component that corresponds to this bug.
Modified: trunk/bugzilla-2.16.7/process_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/process_bug.cgi 2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/process_bug.cgi 2005-05-19 14:49:03 UTC (rev 97)
@@ -39,7 +39,8 @@
# Shut up misguided -w warnings about "used only once":
-use vars qw(%versions
+use vars qw(@legal_product
+ %versions
%components
%COOKIE
%legal_keywords
@@ -166,9 +167,19 @@
|| (!$::FORM{'id'} && $::FORM{'product'} ne $::dontchange))
&& CheckonComment( "reassignbycomponent" ))
{
- CheckFormField(\%::FORM, 'product', \@::legal_product);
my $prod = $::FORM{'product'};
+ # If at least one bug does not belong to the product we are
+ # moving to, we have to check whether or not the user is
+ # allowed to enter bugs into that product.
+ # Note that this check must be done early to avoid the leakage
+ # of component, version and target milestone names.
+ SendSQL("SELECT 1 FROM bugs
+ WHERE product != " . SqlQuote($prod) .
+ " AND bug_id IN (" . join(',', @idlist) . ") LIMIT 1");
+
+ if (FetchOneColumn()) { CanEnterProductOrWarn($prod) }
+
# note that when this script is called from buglist.cgi (rather
# than show_bug.cgi), it's possible that the product will be changed
# but that the version and/or component will be set to