<https://bugzilla.mozilla.org/show_bug.cgi?id=824399>
<exp2://Ticket/
14465628>
Applied "v5 patch, 3.6" to bugs.webkit.org.
* Bugzilla/Config/GroupSecurity.pm:
(get_param_list):
* buglist.cgi:
* report.cgi:
* template/en/default/admin/params/groupsecurity.html.tmpl:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145302
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
checker => \&check_group
},
+ {
+ name => 'debug_group',
+ type => 's',
+ choices => \&_get_all_group_names,
+ default => 'admin',
+ checker => \&check_group
+ },
+
{
name => 'usevisibilitygroups',
type => 'b',
+2013-03-08 David Kilzer <ddkilzer@apple.com>
+
+ (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
+ <https://bugzilla.mozilla.org/show_bug.cgi?id=824399>
+ <exp2://Ticket/14465628>
+
+ Applied "v5 patch, 3.6" to bugs.webkit.org.
+
+ * Bugzilla/Config/GroupSecurity.pm:
+ (get_param_list):
+ * buglist.cgi:
+ * report.cgi:
+ * template/en/default/admin/params/groupsecurity.html.tmpl:
+
2013-03-08 David Kilzer <ddkilzer@apple.com>
(CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
# Query Execution
################################################################################
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+ && Bugzilla->params->{debug_group}
+ && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
$vars->{'debug'} = 1;
$vars->{'query'} = $query;
$vars->{'debugdata'} = $search->getDebugData();
$vars->{'height'} = $height if $height;
$vars->{'query'} = $query;
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+ && Bugzilla->params->{debug_group}
+ && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+ $vars->{'debug'} = 1;
+}
my $formatparam = $cgi->param('format');
querysharegroup => "The name of the group of users who can share their " _
"saved searches with others.",
+ debug_group => "The name of the group of users who can view the actual " _
+ "SQL query generated when viewing $terms.bug lists and reports.",
+
usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
"specific groups?",