[SECURITY] Bug 250605: Changes to the metadata (filename, description, mime type, review flags) on attachments which were flagged as private get displayed to users who are not members of the group allowed to see private attachments when receiving bug change notification mails. This only affects sites that use the 'insidergroup' feature.

Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko,justdave, a=justdave
2004-10-25 07:36:13 +00:00 · 2004-10-25 07:36:13 +00:00 · 62149a61ff
--- a/webtools/bugzilla/Bugzilla/BugMail.pm
+++ b/webtools/bugzilla/Bugzilla/BugMail.pm
@ -238,6 +238,11 @@ sub ProcessOneBug($) {
            $old = FormatTimeUnit($old);
            $new = FormatTimeUnit($new);
        }
+        if ($attachid) {
+            SendSQL("SELECT isprivate FROM attachments 
+                     WHERE attach_id = $attachid");
+            $diffpart->{'isprivate'} = FetchOneColumn();
+        }
        $difftext = FormatTriple($what, $old, $new);
        $diffpart->{'header'} = $diffheader;
        $diffpart->{'fieldname'} = $fieldname;
@ -772,6 +777,11 @@ sub NewProcessOnePerson ($$$$$$$$$$$$$) {
            if ($user->groups->{Param("timetrackinggroup")}) {
                $add_diff = 1;
            }
+        } elsif (($diff->{'isprivate'}) 
+                 && Param('insidergroup')
+                 && !($user->groups->{Param('insidergroup')})
+                ) {
+            $add_diff = 0;
        } else {
            $add_diff = 1;
        }