зеркало из https://github.com/mozilla/gecko-dev.git
[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when receiving bug change notification mails. This only affects sites that use the 'insidergroup' feature.
Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko,justdave, a=justdave
This commit is contained in:
Родитель
195002eeb3
Коммит
62149a61ff
|
@ -238,6 +238,11 @@ sub ProcessOneBug($) {
|
|||
$old = FormatTimeUnit($old);
|
||||
$new = FormatTimeUnit($new);
|
||||
}
|
||||
if ($attachid) {
|
||||
SendSQL("SELECT isprivate FROM attachments
|
||||
WHERE attach_id = $attachid");
|
||||
$diffpart->{'isprivate'} = FetchOneColumn();
|
||||
}
|
||||
$difftext = FormatTriple($what, $old, $new);
|
||||
$diffpart->{'header'} = $diffheader;
|
||||
$diffpart->{'fieldname'} = $fieldname;
|
||||
|
@ -772,6 +777,11 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
|
|||
if ($user->groups->{Param("timetrackinggroup")}) {
|
||||
$add_diff = 1;
|
||||
}
|
||||
} elsif (($diff->{'isprivate'})
|
||||
&& Param('insidergroup')
|
||||
&& !($user->groups->{Param('insidergroup')})
|
||||
) {
|
||||
$add_diff = 0;
|
||||
} else {
|
||||
$add_diff = 1;
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче