(CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and...

<https://bugzilla.mozilla.org/show_bug.cgi?id=824399>
<exp2://Ticket/14465628>

Applied "v5 patch, 3.6" to bugs.webkit.org.

* Bugzilla/Config/GroupSecurity.pm:
(get_param_list):
* buglist.cgi:
* report.cgi:
* template/en/default/admin/params/groupsecurity.html.tmpl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145302 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm b/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm
index 0a238f2..bfc4f22 100644 (file)
--- a/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm
+++ b/Websites/bugs.webkit.org/Bugzilla/Config/GroupSecurity.pm
@@ -87,6 +87,14 @@ sub get_param_list {
   },
   
   {
+   name => 'debug_group',
+   type => 's',
+   choices => \&_get_all_group_names,
+   default => 'admin',
+   checker => \&check_group
+  },
+  
+  {
    name => 'usevisibilitygroups',
    type => 'b',
    default => 0

diff --git a/Websites/bugs.webkit.org/ChangeLog b/Websites/bugs.webkit.org/ChangeLog
index 466176f..59bfe63 100644 (file)
--- a/Websites/bugs.webkit.org/ChangeLog
+++ b/Websites/bugs.webkit.org/ChangeLog
@@ -1,5 +1,19 @@
 2013-03-08  David Kilzer  <ddkilzer@apple.com>
 
+        (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence of products and components you cannot access
+        <https://bugzilla.mozilla.org/show_bug.cgi?id=824399>
+        <exp2://Ticket/14465628>
+
+        Applied "v5 patch, 3.6" to bugs.webkit.org.
+
+        * Bugzilla/Config/GroupSecurity.pm:
+        (get_param_list):
+        * buglist.cgi:
+        * report.cgi:
+        * template/en/default/admin/params/groupsecurity.html.tmpl:
+
+2013-03-08  David Kilzer  <ddkilzer@apple.com>
+
         (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
         <https://bugzilla.mozilla.org/show_bug.cgi?id=842038>
         <exp2://Ticket/14465628>

diff --git a/Websites/bugs.webkit.org/buglist.cgi b/Websites/bugs.webkit.org/buglist.cgi
index f6ea3c0..e8b40fc 100755 (executable)
--- a/Websites/bugs.webkit.org/buglist.cgi
+++ b/Websites/bugs.webkit.org/buglist.cgi
@@ -1006,7 +1006,10 @@ elsif ($fulltext) {
 # Query Execution
 ################################################################################
 
-if ($cgi->param('debug')) {
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
     $vars->{'debug'} = 1;
     $vars->{'query'} = $query;
     $vars->{'debugdata'} = $search->getDebugData();

diff --git a/Websites/bugs.webkit.org/report.cgi b/Websites/bugs.webkit.org/report.cgi
index df25318..f4360ef 100755 (executable)
--- a/Websites/bugs.webkit.org/report.cgi
+++ b/Websites/bugs.webkit.org/report.cgi
@@ -247,7 +247,13 @@ $vars->{'width'} = $width if $width;
 $vars->{'height'} = $height if $height;
 
 $vars->{'query'} = $query;
-$vars->{'debug'} = $cgi->param('debug');
+
+if ($cgi->param('debug')
+    && Bugzilla->params->{debug_group}
+    && Bugzilla->user->in_group(Bugzilla->params->{debug_group})
+) {
+    $vars->{'debug'} = 1;
+}
 
 my $formatparam = $cgi->param('format');
 

diff --git a/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl b/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl
index 440e1cf..2330c44 100644 (file)
--- a/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl
+++ b/Websites/bugs.webkit.org/template/en/default/admin/params/groupsecurity.html.tmpl
@@ -48,6 +48,9 @@
   querysharegroup => "The name of the group of users who can share their " _
                      "saved searches with others.",
 
+  debug_group => "The name of the group of users who can view the actual " _
+                 "SQL query generated when viewing $terms.bug lists and reports.",
+
   usevisibilitygroups => "Do you wish to restrict visibility of users to members of " _
                          "specific groups?",