[Pkg-bugzilla-commits] r97 - in trunk/bugzilla-2.16.7: . debian

Alexis Sukrieh sukria-guest@costa.debian.org
Thu, 19 May 2005 14:49:06 +0000 

Author: sukria-guest
Date: 2005-05-19 14:49:03 +0000 (Thu, 19 May 2005)
New Revision: 97

Modified:
   trunk/bugzilla-2.16.7/debian/changelog
   trunk/bugzilla-2.16.7/enter_bug.cgi
   trunk/bugzilla-2.16.7/globals.pl
   trunk/bugzilla-2.16.7/post_bug.cgi
   trunk/bugzilla-2.16.7/process_bug.cgi
Log:
bugzilla (2.16.7-7) unstable; urgency=low

  * Applied upstream security patch (backport from the upstream 2.16.10
    release) for closing CAN-2005-1564 and CAN-2005-1563 (bugzilla's
    bugs #287109, #294655)
    (closes: #308787)



Modified: trunk/bugzilla-2.16.7/debian/changelog
===================================================================
--- trunk/bugzilla-2.16.7/debian/changelog	2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/debian/changelog	2005-05-19 14:49:03 UTC (rev 97)
@@ -1,3 +1,12 @@
+bugzilla (2.16.7-7) unstable; urgency=low
+
+  * Applied upstream security patch (backport from the upstream 2.16.10
+    release) for closing CAN-2005-1564 and CAN-2005-1563 (bugzilla's 
+    bugs #287109, #294655)
+    (closes: #308787)
+
+ -- Alexis Sukrieh <sukria@sukria.net>  Thu, 19 May 2005 16:46:56 +0200
+
 bugzilla (2.16.7-6) unstable; urgency=low
 
   * Added a "checkpo" target in debian/rules for checking the debian/po files.

Modified: trunk/bugzilla-2.16.7/enter_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/enter_bug.cgi	2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/enter_bug.cgi	2005-05-19 14:49:03 UTC (rev 97)
@@ -224,38 +224,11 @@
 
 # If the usebuggroupsentry parameter is set, we need to check and make sure
 # that the user has permission to enter a bug against this product.
-if(Param("usebuggroupsentry") 
-   && GroupExists($product) 
-   && !UserInGroup($product)) 
-{
-    DisplayError("Sorry; you do not have the permissions necessary to " .
-                 "enter a bug against this product.\n");         
-    exit;
-}
+CanEnterProductOrWarn($product);
 
 GetVersionTable();
 
-if (lsearch(\@::enterable_products, $product) == -1) {
-    DisplayError("'" . html_quote($product) . "' is not a valid product.");
-    exit;
-}
-    
-if (0 == @{$::components{$product}}) {
-    my $error = "Sorry; there needs to be at least one component for this " .
-                "product in order to create a new bug. ";
-    if (UserInGroup('editcomponents')) {
-        $error .= "<a href=\"editcomponents.cgi\">" . 
-                  "Create a new component</a>\n";
-    }
-    else {              
-        $error .= "Please contact " . Param("maintainer") . ", detailing " .
-                  "the product in which you tried to create a new bug.\n";
-    }
-        
-    DisplayError($error);   
-    exit;
-} 
-elsif (1 == @{$::components{$product}}) {
+if (1 == @{$::components{$product}}) {
     # Only one component; just pick it.
     $::FORM{'component'} = $::components{$product}->[0];
 }

Modified: trunk/bugzilla-2.16.7/globals.pl
===================================================================
--- trunk/bugzilla-2.16.7/globals.pl	2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/globals.pl	2005-05-19 14:49:03 UTC (rev 97)
@@ -849,6 +849,56 @@
     return $ret;
 }
 
+sub CanEnterProductOrWarn {
+    # Determines whether or not a user can enter bugs into the product.
+    my ($productname) = @_;
+
+    SendSQL("SELECT product FROM products WHERE product = " .
+            SqlQuote($productname));
+
+    my $product_exists = (defined(FetchOneColumn())) ? 1 : 0;
+
+    if (!$product_exists
+        || (Param("usebuggroupsentry")
+            && GroupExists($productname)
+            && !UserInGroup($productname)))
+    {
+        DisplayError("Sorry, either this product does not exist, or you
+                      don't have the required permissions to enter a bug
+                      against that product.", "Permission Denied");
+        exit;
+    }
+
+    SendSQL("SELECT CASE WHEN disallownew = 0 THEN 1 ELSE 0 END
+             FROM products INNER JOIN components
+             ON components.program = products.product
+             WHERE products.product = " . SqlQuote($productname) . " LIMIT 1");
+
+    my $status = FetchOneColumn();
+
+    # Return 1 if the user can enter bugs into that product;
+    # return 0 if the product is closed for new bug entry;
+    # return undef if the product has no component.
+
+    if (!defined($status)) {
+        my $error = "Sorry; there needs to be at least one component for this " .
+                    "product in order to create a new bug. ";
+        if (UserInGroup('editcomponents')) {
+            $error .= "<a href=\"editcomponents.cgi\">Create a new component</a>\n";
+        }
+        else {              
+            $error .= "Please contact " . Param("maintainer") . ", detailing " .
+                      "the product in which you tried to create a new bug.\n";
+        }
+        DisplayError($error);   
+        exit;
+    } elsif (!$status) {
+        DisplayError("Sorry, entering bugs into this product has been disabled.");
+        exit;
+    }
+    return $status;
+}
+
 sub ValidatePassword {
     # Determines whether or not a password is valid (i.e. meets Bugzilla's
     # requirements for length and content).  If the password is valid, the

Modified: trunk/bugzilla-2.16.7/post_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/post_bug.cgi	2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/post_bug.cgi	2005-05-19 14:49:03 UTC (rev 97)
@@ -92,13 +92,7 @@
 umask 0;
 
 # Some sanity checking
-if(Param("usebuggroupsentry") && GroupExists($product)) {
-    if(!UserInGroup($product)) {
-        DisplayError("Sorry; you do not have the permissions necessary to enter
-                      a bug against this product.", "Permission Denied");
-        exit;
-    }
-}
+CanEnterProductOrWarn($product);
 
 if (!$::FORM{'component'}) {
     DisplayError("You must choose a component that corresponds to this bug.

Modified: trunk/bugzilla-2.16.7/process_bug.cgi
===================================================================
--- trunk/bugzilla-2.16.7/process_bug.cgi	2005-05-09 14:27:17 UTC (rev 96)
+++ trunk/bugzilla-2.16.7/process_bug.cgi	2005-05-19 14:49:03 UTC (rev 97)
@@ -39,7 +39,8 @@
 
 # Shut up misguided -w warnings about "used only once":
 
-use vars qw(%versions
+use vars qw(@legal_product
+          %versions
           %components
           %COOKIE
           %legal_keywords
@@ -166,9 +167,19 @@
      || (!$::FORM{'id'} && $::FORM{'product'} ne $::dontchange))
     && CheckonComment( "reassignbycomponent" ))
 {
-    CheckFormField(\%::FORM, 'product', \@::legal_product);
     my $prod = $::FORM{'product'};
 
+    # If at least one bug does not belong to the product we are
+    # moving to, we have to check whether or not the user is
+    # allowed to enter bugs into that product.
+    # Note that this check must be done early to avoid the leakage
+    # of component, version and target milestone names.
+    SendSQL("SELECT 1 FROM bugs
+             WHERE product != " . SqlQuote($prod) .
+           " AND bug_id IN (" . join(',', @idlist) . ") LIMIT 1");
+
+    if (FetchOneColumn()) { CanEnterProductOrWarn($prod) }
+
     # note that when this script is called from buglist.cgi (rather
     # than show_bug.cgi), it's possible that the product will be changed
     # but that the version and/or component will be set to