Commit dbd64ec5 authored by Per Cederqvist's avatar Per Cederqvist
Browse files

Imported Bugzilla 2.18.6.

parent cae68ddc
......@@ -84,9 +84,8 @@ sub query
my @attachments = ();
while (&::MoreSQLData()) {
my %a;
my $submitter_id;
($a{'attachid'}, $a{'date'}, $a{'contenttype'}, $a{'description'},
$a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $submitter_id,
$a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $a{'submitter_id'},
$a{'datasize'}) = &::FetchSQLData();
# Retrieve a list of flags for this attachment.
......@@ -97,7 +96,7 @@ sub query
# ie the are the submitter, or they have canedit.
# Also show the link if the user is not logged in - in that cae,
# They'll be prompted later
$a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
$a{'canedit'} = ($::userid == 0 || (($a{'submitter_id'} == $::userid ||
$in_editbugs) && $caneditproduct));
push @attachments, \%a;
}
......
/CGI.pm/1.7.2.3/Thu Jul 7 11:58:21 2005//TBUGZILLA-2_18_5
/Cookie.pm/1.2.2.1/Tue Mar 22 22:46:25 2005//TBUGZILLA-2_18_5
/DB.pm/1.5/Thu Mar 18 09:01:35 2004//TBUGZILLA-2_18_5
/LDAP.pm/1.4/Mon Jul 14 13:35:12 2003//TBUGZILLA-2_18_5
/CGI.pm/1.7.2.3/Thu Jul 7 11:58:21 2005//TBUGZILLA-2_18_6
/Cookie.pm/1.2.2.1/Tue Mar 22 22:46:25 2005//TBUGZILLA-2_18_6
/DB.pm/1.5/Thu Mar 18 09:01:35 2004//TBUGZILLA-2_18_6
/LDAP.pm/1.4/Mon Jul 14 13:35:12 2003//TBUGZILLA-2_18_6
D
A D/Login////
A D/Persist////
A D/Verify////
R D/Verify////
R D/Persist////
R D/Login////
NBUGZILLA-2_18_5
NBUGZILLA-2_18_6
/.cvsignore/1.1/Mon Aug 26 22:24:55 2002//TBUGZILLA-2_18_5
/Attachment.pm/1.17/Tue Jul 6 07:08:02 2004//TBUGZILLA-2_18_5
/Auth.pm/1.4/Sat Mar 27 01:28:29 2004//TBUGZILLA-2_18_5
/Bug.pm/1.37.2.6/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_5
/BugMail.pm/1.13.2.5/Sat Mar 19 11:29:41 2005//TBUGZILLA-2_18_5
/CGI.pm/1.10.2.5/Fri Jul 8 21:05:36 2005//TBUGZILLA-2_18_5
/Chart.pm/1.3.2.1/Sun Aug 29 23:14:13 2004//TBUGZILLA-2_18_5
/Config.pm/1.21.2.11/Tue Feb 21 06:51:55 2006//TBUGZILLA-2_18_5
/Constants.pm/1.10.2.2/Fri Jan 7 20:54:32 2005//TBUGZILLA-2_18_5
/DB.pm/1.12.2.3/Thu Aug 4 17:10:37 2005//TBUGZILLA-2_18_5
/Error.pm/1.4.2.1/Mon Jan 3 20:55:54 2005//TBUGZILLA-2_18_5
/Flag.pm/1.18.2.7/Fri Jul 8 05:30:59 2005//TBUGZILLA-2_18_5
/FlagType.pm/1.7.2.2/Fri Jul 8 05:30:59 2005//TBUGZILLA-2_18_5
/RelationSet.pm/1.10/Thu Mar 18 03:57:05 2004//TBUGZILLA-2_18_5
/Search.pm/1.57.2.9/Tue Jul 19 22:41:04 2005//TBUGZILLA-2_18_5
/Series.pm/1.5.2.1/Sun Aug 29 23:14:13 2004//TBUGZILLA-2_18_5
/Template.pm/1.18.2.1/Fri Mar 18 04:16:58 2005//TBUGZILLA-2_18_5
/Token.pm/1.22.2.4/Fri Jul 1 02:55:11 2005//TBUGZILLA-2_18_5
/User.pm/1.20.2.3/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_5
/Util.pm/1.12.2.5/Sun Jan 8 19:53:06 2006//TBUGZILLA-2_18_5
/.cvsignore/1.1/Mon Aug 26 22:24:55 2002//TBUGZILLA-2_18_6
/Attachment.pm/1.17.2.1/Sat Oct 14 21:11:08 2006//TBUGZILLA-2_18_6
/Auth.pm/1.4/Sat Mar 27 01:28:29 2004//TBUGZILLA-2_18_6
/Bug.pm/1.37.2.6/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_6
/BugMail.pm/1.13.2.5/Sat Mar 19 11:29:41 2005//TBUGZILLA-2_18_6
/CGI.pm/1.10.2.5/Fri Jul 8 21:05:36 2005//TBUGZILLA-2_18_6
/Chart.pm/1.3.2.1/Sun Aug 29 23:14:13 2004//TBUGZILLA-2_18_6
/Config.pm/1.21.2.13/Sun Oct 15 08:30:21 2006//TBUGZILLA-2_18_6
/Constants.pm/1.10.2.3/Sat Oct 14 20:37:49 2006//TBUGZILLA-2_18_6
/DB.pm/1.12.2.3/Thu Aug 4 17:10:37 2005//TBUGZILLA-2_18_6
/Error.pm/1.4.2.1/Mon Jan 3 20:55:54 2005//TBUGZILLA-2_18_6
/Flag.pm/1.18.2.7/Fri Jul 8 05:30:59 2005//TBUGZILLA-2_18_6
/FlagType.pm/1.7.2.2/Fri Jul 8 05:30:59 2005//TBUGZILLA-2_18_6
/RelationSet.pm/1.10/Thu Mar 18 03:57:05 2004//TBUGZILLA-2_18_6
/Search.pm/1.57.2.9/Tue Jul 19 22:41:04 2005//TBUGZILLA-2_18_6
/Series.pm/1.5.2.1/Sun Aug 29 23:14:13 2004//TBUGZILLA-2_18_6
/Template.pm/1.18.2.2/Sat Oct 14 20:37:49 2006//TBUGZILLA-2_18_6
/Token.pm/1.22.2.4/Fri Jul 1 02:55:11 2005//TBUGZILLA-2_18_6
/User.pm/1.20.2.4/Sat Oct 14 21:11:08 2006//TBUGZILLA-2_18_6
/Util.pm/1.12.2.6/Sat Oct 14 20:37:49 2006//TBUGZILLA-2_18_6
D/Auth////
D/Template////
A D/Attachment////
A D/Config////
A D/DB////
A D/Install////
A D/Search////
A D/User////
A D/WebService////
R D/WebService////
R D/User////
R D/Search////
R D/Install////
R D/DB////
R D/Config////
R D/Attachment////
NBUGZILLA-2_18_5
NBUGZILLA-2_18_6
......@@ -76,7 +76,7 @@ our $webdotdir = "$datadir/webdot";
Exporter::export_ok_tags('admin', 'db', 'locations');
# Bugzilla version
$Bugzilla::Config::VERSION = "2.18.5";
$Bugzilla::Config::VERSION = "2.18.6";
use Safe;
......
......@@ -57,6 +57,8 @@ use base qw(Exporter);
GRANT_DIRECT
GRANT_DERIVED
GRANT_REGEXP
SAFE_PROTOCOLS
);
@Bugzilla::Constants::EXPORT_OK = qw(contenttypes);
......@@ -191,4 +193,9 @@ use constant GRANT_DIRECT => 0;
use constant GRANT_DERIVED => 1;
use constant GRANT_REGEXP => 2;
# Protocols which are considered as safe.
use constant SAFE_PROTOCOLS => ('afs', 'cid', 'ftp', 'gopher', 'http', 'https',
'irc', 'mid', 'news', 'nntp', 'prospero', 'telnet',
'view-source', 'wais');
1;
......@@ -319,7 +319,9 @@ sub create {
$var =~ s/\@/\@/g;
return $var;
},
html_light => \&Bugzilla::Util::html_light_quote,
# iCalendar contentline filter
ics => [ sub {
my ($context, @args) = @_;
......
TBUGZILLA-2_18_5
TBUGZILLA-2_18_6
/Bugzilla.pm/1.2/Fri Feb 7 07:19:15 2003//TBUGZILLA-2_18_5
/Hook.pm/1.1/Sun Jan 11 17:12:15 2004//TBUGZILLA-2_18_5
/Bugzilla.pm/1.2/Fri Feb 7 07:19:15 2003//TBUGZILLA-2_18_6
/Hook.pm/1.1/Sun Jan 11 17:12:15 2004//TBUGZILLA-2_18_6
D
......@@ -709,6 +709,17 @@ sub is_mover {
return $self->{'is_mover'};
}
sub is_insider {
my $self = shift;
if (!defined $self->{'is_insider'}) {
my $insider_group = Param('insidergroup');
$self->{'is_insider'} =
($insider_group && $self->in_group($insider_group)) ? 1 : 0;
}
return $self->{'is_insider'};
}
1;
__END__
......@@ -867,6 +878,11 @@ Returns true if the user is in the list of users allowed to move bugs
to another database. Note that this method doesn't check whether bug
moving is enabled.
=item C<is_insider>
Returns true if the user can access private comments and attachments,
i.e. if the 'insidergroup' parameter is set and the user belongs to this group.
=back
=head1 SEE ALSO
......
......@@ -31,10 +31,11 @@ use base qw(Exporter);
@Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural
detaint_signed
html_quote url_quote value_quote xml_quote
css_class_quote
css_class_quote html_light_quote
lsearch max min
trim format_time clean_text);
use Bugzilla::Constants;
use Bugzilla::Config;
# This is from the perlsec page, slightly modifed to remove a warning
......@@ -80,6 +81,93 @@ sub html_quote {
return $var;
}
sub html_light_quote {
my ($text) = @_;
# List of allowed HTML elements having no attributes.
my @allow = qw(b strong em i u p br abbr acronym ins del cite code var
dfn samp kbd big small sub sup tt dd dt dl ul li ol);
# Are HTML::Scrubber and HTML::Parser installed?
eval { require HTML::Scrubber;
require HTML::Parser;
};
# We need utf8_mode() from HTML::Parser 3.40 if running Perl >= 5.8.
if ($@ || ($] >= 5.008 && $HTML::Parser::VERSION < 3.40)) { # Package(s) not installed.
my $safe = join('|', @allow);
my $chr = chr(1);
# First, escape safe elements.
$text =~ s#<($safe)>#$chr$1$chr#go;
$text =~ s#</($safe)>#$chr/$1$chr#go;
# Now filter < and >.
$text =~ s#<#&lt;#g;
$text =~ s#>#&gt;#g;
# Restore safe elements.
$text =~ s#$chr/($safe)$chr#</$1>#go;
$text =~ s#$chr($safe)$chr#<$1>#go;
return $text;
}
else { # Packages installed.
# We can be less restrictive. We can accept elements with attributes.
push(@allow, qw(a blockquote q span));
# Allowed protocols.
my $safe_protocols = join('|', SAFE_PROTOCOLS);
my $protocol_regexp = qr{(^(?:$safe_protocols):|^[^:]+$)}i;
# Deny all elements and attributes unless explicitly authorized.
my @default = (0 => {
id => 1,
name => 1,
class => 1,
'*' => 0, # Reject all other attributes.
}
);
# Specific rules for allowed elements. If no specific rule is set
# for a given element, then the default is used.
my @rules = (a => {
href => $protocol_regexp,
title => 1,
id => 1,
name => 1,
class => 1,
'*' => 0, # Reject all other attributes.
},
blockquote => {
cite => $protocol_regexp,
id => 1,
name => 1,
class => 1,
'*' => 0, # Reject all other attributes.
},
'q' => {
cite => $protocol_regexp,
id => 1,
name => 1,
class => 1,
'*' => 0, # Reject all other attributes.
},
);
my $scrubber = HTML::Scrubber->new(default => \@default,
allow => \@allow,
rules => \@rules,
comment => 0,
process => 0);
# Avoid filling the web server error log with Perl 5.8.x.
# In HTML::Scrubber 0.08, the HTML::Parser object is stored in
# the "_p" key, but this may change in future versions.
if ($] >= 5.008 && ref($scrubber->{_p}) eq 'HTML::Parser') {
$scrubber->{_p}->utf8_mode(1);
}
return $scrubber->scrub($text);
}
}
# This orignally came from CGI.pm, by Lincoln D. Stein
sub url_quote {
my ($toencode) = (@_);
......@@ -294,6 +382,12 @@ be done in the template where possible.
Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, and E<34> being
replaced with their appropriate HTML entities.
=item C<html_light_quote($val)>
Returns a string where only explicitly allowed HTML elements and attributes
are kept. All HTML elements and attributes not being in the whitelist are either
escaped (if HTML::Scrubber is not installed) or removed.
=item C<url_quote($val)>
Quotes characters so that they may be included as part of a url.
......
......@@ -236,8 +236,13 @@ sub MailPassword {
}
sub PutHeader {
($vars->{'title'}, $vars->{'h1'}, $vars->{'h2'}) = (@_);
my ($title, $h1, $h2) = @_;
# We filter fields here.
$vars->{'title'} = html_quote($title) if defined $title;
$vars->{'h1'} = html_quote($h1) if defined $h1;
$vars->{'h2'} = html_quote($h2) if defined $h2;
$::template->process("global/header.html.tmpl", $::vars)
|| ThrowTemplateError($::template->error());
$vars->{'header_done'} = 1;
......
/.cvsignore/1.6/Mon May 13 22:28:26 2002//TBUGZILLA-2_18_5
/1x1.gif/1.1/Wed Aug 26 06:14:15 1998/-kb/TBUGZILLA-2_18_5
/Bugzilla.pm/1.10/Sat Mar 27 01:28:29 2004//TBUGZILLA-2_18_5
/CGI.pl/1.211.2.10/Wed Jul 27 20:05:47 2005//TBUGZILLA-2_18_5
/QUICKSTART/1.4/Thu Jul 8 19:59:25 2004//TBUGZILLA-2_18_5
/README/1.52/Fri Oct 10 02:22:39 2003//TBUGZILLA-2_18_5
/UPGRADING/1.1/Fri Aug 10 22:35:21 2001//TBUGZILLA-2_18_5
/UPGRADING-pre-2.8/1.3/Thu Mar 27 00:06:37 2003//TBUGZILLA-2_18_5
/ant.jpg/1.2/Wed Aug 26 22:36:05 1998/-kb/TBUGZILLA-2_18_5
/attachment.cgi/1.58.2.6/Fri Jul 8 05:30:58 2005//TBUGZILLA-2_18_5
/buglist.cgi/1.255.2.12/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_5
/bugzilla.dtd/1.8.4.1/Thu Jun 2 21:27:48 2005//TBUGZILLA-2_18_5
/chart.cgi/1.7.2.2/Thu May 12 01:54:08 2005//TBUGZILLA-2_18_5
/checksetup.pl/1.289.2.35/Sun Jan 8 19:53:05 2006//TBUGZILLA-2_18_5
/colchange.cgi/1.41.2.4/Fri Jul 8 03:44:52 2005//TBUGZILLA-2_18_5
/collectstats.pl/1.38.2.3/Tue Jul 19 14:38:33 2005//TBUGZILLA-2_18_5
/config.cgi/1.5.2.1/Fri Sep 30 22:21:42 2005//TBUGZILLA-2_18_5
/createaccount.cgi/1.33.2.2/Thu May 19 19:40:22 2005//TBUGZILLA-2_18_5
/defparams.pl/1.128.2.5/Mon Feb 20 23:40:56 2006//TBUGZILLA-2_18_5
/describecomponents.cgi/1.26.2.1/Fri Jan 7 21:33:30 2005//TBUGZILLA-2_18_5
/describekeywords.cgi/1.12/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/doeditparams.cgi/1.31/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/duplicates.cgi/1.44/Sat Jul 10 07:17:02 2004//TBUGZILLA-2_18_5
/duplicates.xul/1.1/Tue Nov 5 01:54:01 2002//TBUGZILLA-2_18_5
/editcomponents.cgi/1.41.2.3/Sun Jan 1 21:32:07 2006//TBUGZILLA-2_18_5
/editflagtypes.cgi/1.7.2.5/Thu May 5 19:25:56 2005//TBUGZILLA-2_18_5
/editgroups.cgi/1.38.2.2/Wed Feb 16 16:26:43 2005//TBUGZILLA-2_18_5
/editkeywords.cgi/1.22.2.1/Mon Dec 12 02:47:10 2005//TBUGZILLA-2_18_5
/editmilestones.cgi/1.23.2.2/Tue May 3 19:44:58 2005//TBUGZILLA-2_18_5
/editparams.cgi/1.22/Sun May 23 07:22:32 2004//TBUGZILLA-2_18_5
/editproducts.cgi/1.53.2.6/Mon Jun 6 21:42:02 2005//TBUGZILLA-2_18_5
/editusers.cgi/1.61.2.8/Mon Dec 12 03:26:58 2005//TBUGZILLA-2_18_5
/editversions.cgi/1.22.2.1/Tue Jul 27 15:14:51 2004//TBUGZILLA-2_18_5
/enter_bug.cgi/1.94.2.3/Thu May 12 02:08:34 2005//TBUGZILLA-2_18_5
/globals.pl/1.270.2.12/Fri Jul 8 05:36:34 2005//TBUGZILLA-2_18_5
/importxml.pl/1.36.2.3/Sat Mar 19 11:22:53 2005//TBUGZILLA-2_18_5
/index.cgi/1.13/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/localconfig.js/1.2/Thu Jul 17 22:49:47 2003//TBUGZILLA-2_18_5
/long_list.cgi/1.38/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/move.pl/1.26.2.4/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_5
/padlock.png/1.1.2.2/Thu Sep 23 18:10:06 2004/-kb/TBUGZILLA-2_18_5
/page.cgi/1.15/Sat Apr 17 04:41:14 2004//TBUGZILLA-2_18_5
/post_bug.cgi/1.88.2.10/Sun Jan 8 19:53:05 2006//TBUGZILLA-2_18_5
/process_bug.cgi/1.205.2.24/Sun Jan 8 19:53:05 2006//TBUGZILLA-2_18_5
/productmenu.js/1.1.4.1/Tue Dec 14 02:29:57 2004//TBUGZILLA-2_18_5
/query.cgi/1.126.2.5/Thu Jul 7 11:58:20 2005//TBUGZILLA-2_18_5
/quicksearch.html/1.3/Mon Apr 15 02:47:55 2002//TBUGZILLA-2_18_5
/quicksearch.js/1.11.2.1/Thu Jun 9 09:31:20 2005//TBUGZILLA-2_18_5
/quicksearchhack.html/1.5/Sun Mar 7 23:27:32 2004//TBUGZILLA-2_18_5
/quips.cgi/1.24.2.1/Mon Feb 28 16:37:13 2005//TBUGZILLA-2_18_5
/relogin.cgi/1.25/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/report.cgi/1.24.2.3/Sat Mar 12 02:58:23 2005//TBUGZILLA-2_18_5
/reports.cgi/1.72.2.2/Thu May 12 02:08:34 2005//TBUGZILLA-2_18_5
/request.cgi/1.14.2.2/Tue Dec 14 02:29:57 2004//TBUGZILLA-2_18_5
/robots.txt/1.2/Wed Apr 24 18:11:00 2002//TBUGZILLA-2_18_5
/runtests.pl/1.3.2.1/Fri Sep 3 06:59:31 2004//TBUGZILLA-2_18_5
/runtests.sh/1.7/Thu Mar 27 00:06:47 2003//TBUGZILLA-2_18_5
/sanitycheck.cgi/1.72.2.5/Tue Dec 13 20:57:20 2005//TBUGZILLA-2_18_5
/show_activity.cgi/1.15/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/show_bug.cgi/1.29.2.1/Mon Oct 25 07:26:56 2004//TBUGZILLA-2_18_5
/showattachment.cgi/1.14/Mon May 5 01:15:29 2003//TBUGZILLA-2_18_5
/showdependencygraph.cgi/1.35.2.1/Tue Aug 9 19:48:22 2005//TBUGZILLA-2_18_5
/showdependencytree.cgi/1.29/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/sidebar.cgi/1.14/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_5
/testagent.cgi/1.1.2.1/Thu Jul 22 07:02:48 2004//TBUGZILLA-2_18_5
/testserver.pl/1.1.2.3/Sun Jan 16 13:29:53 2005//TBUGZILLA-2_18_5
/token.cgi/1.26.2.1/Tue Jun 21 14:20:50 2005//TBUGZILLA-2_18_5
/userprefs.cgi/1.58.2.5/Thu May 12 01:54:08 2005//TBUGZILLA-2_18_5
/votes.cgi/1.17.2.3/Thu Jan 27 19:14:22 2005//TBUGZILLA-2_18_5
/whineatnews.pl/1.14.2.4/Fri Jul 8 02:23:41 2005//TBUGZILLA-2_18_5
/xml.cgi/1.12/Thu Mar 27 00:06:50 2003//TBUGZILLA-2_18_5
/.cvsignore/1.6/Mon May 13 22:28:26 2002//TBUGZILLA-2_18_6
/1x1.gif/1.1/Wed Aug 26 06:14:15 1998/-kb/TBUGZILLA-2_18_6
/Bugzilla.pm/1.10/Sat Mar 27 01:28:29 2004//TBUGZILLA-2_18_6
/CGI.pl/1.211.2.11/Sat Oct 14 20:55:05 2006//TBUGZILLA-2_18_6
/QUICKSTART/1.4/Thu Jul 8 19:59:25 2004//TBUGZILLA-2_18_6
/README/1.52/Fri Oct 10 02:22:39 2003//TBUGZILLA-2_18_6
/UPGRADING/1.1/Fri Aug 10 22:35:21 2001//TBUGZILLA-2_18_6
/UPGRADING-pre-2.8/1.3/Thu Mar 27 00:06:37 2003//TBUGZILLA-2_18_6
/ant.jpg/1.2/Wed Aug 26 22:36:05 1998/-kb/TBUGZILLA-2_18_6
/attachment.cgi/1.58.2.7/Sat Oct 14 21:11:08 2006//TBUGZILLA-2_18_6
/buglist.cgi/1.255.2.12/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_6
/bugzilla.dtd/1.8.4.1/Thu Jun 2 21:27:48 2005//TBUGZILLA-2_18_6
/chart.cgi/1.7.2.2/Thu May 12 01:54:08 2005//TBUGZILLA-2_18_6
/checksetup.pl/1.289.2.36/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/colchange.cgi/1.41.2.4/Fri Jul 8 03:44:52 2005//TBUGZILLA-2_18_6
/collectstats.pl/1.38.2.3/Tue Jul 19 14:38:33 2005//TBUGZILLA-2_18_6
/config.cgi/1.5.2.1/Fri Sep 30 22:21:42 2005//TBUGZILLA-2_18_6
/createaccount.cgi/1.33.2.2/Thu May 19 19:40:22 2005//TBUGZILLA-2_18_6
/defparams.pl/1.128.2.5/Mon Feb 20 23:40:56 2006//TBUGZILLA-2_18_6
/describecomponents.cgi/1.26.2.1/Fri Jan 7 21:33:30 2005//TBUGZILLA-2_18_6
/describekeywords.cgi/1.12/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/doeditparams.cgi/1.31/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/duplicates.cgi/1.44/Sat Jul 10 07:17:02 2004//TBUGZILLA-2_18_6
/duplicates.xul/1.1/Tue Nov 5 01:54:01 2002//TBUGZILLA-2_18_6
/editcomponents.cgi/1.41.2.4/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/editflagtypes.cgi/1.7.2.5/Thu May 5 19:25:56 2005//TBUGZILLA-2_18_6
/editgroups.cgi/1.38.2.4/Sat Oct 14 20:55:05 2006//TBUGZILLA-2_18_6
/editkeywords.cgi/1.22.2.1/Mon Dec 12 02:47:10 2005//TBUGZILLA-2_18_6
/editmilestones.cgi/1.23.2.3/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/editparams.cgi/1.22/Sun May 23 07:22:32 2004//TBUGZILLA-2_18_6
/editproducts.cgi/1.53.2.7/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/editusers.cgi/1.61.2.9/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/editversions.cgi/1.22.2.2/Sat Oct 14 20:37:48 2006//TBUGZILLA-2_18_6
/enter_bug.cgi/1.94.2.3/Thu May 12 02:08:34 2005//TBUGZILLA-2_18_6
/globals.pl/1.270.2.14/Sat Oct 14 21:11:08 2006//TBUGZILLA-2_18_6
/importxml.pl/1.36.2.3/Sat Mar 19 11:22:53 2005//TBUGZILLA-2_18_6
/index.cgi/1.13/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/localconfig.js/1.2/Thu Jul 17 22:49:47 2003//TBUGZILLA-2_18_6
/long_list.cgi/1.38/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/move.pl/1.26.2.4/Thu Sep 8 23:50:29 2005//TBUGZILLA-2_18_6
/padlock.png/1.1.2.2/Thu Sep 23 18:10:06 2004/-kb/TBUGZILLA-2_18_6
/page.cgi/1.15/Sat Apr 17 04:41:14 2004//TBUGZILLA-2_18_6
/post_bug.cgi/1.88.2.10/Sun Jan 8 19:53:05 2006//TBUGZILLA-2_18_6
/process_bug.cgi/1.205.2.24/Sun Jan 8 19:53:05 2006//TBUGZILLA-2_18_6
/productmenu.js/1.1.4.1/Tue Dec 14 02:29:57 2004//TBUGZILLA-2_18_6
/query.cgi/1.126.2.5/Thu Jul 7 11:58:20 2005//TBUGZILLA-2_18_6
/quicksearch.html/1.3/Mon Apr 15 02:47:55 2002//TBUGZILLA-2_18_6
/quicksearch.js/1.11.2.1/Thu Jun 9 09:31:20 2005//TBUGZILLA-2_18_6
/quicksearchhack.html/1.5/Sun Mar 7 23:27:32 2004//TBUGZILLA-2_18_6
/quips.cgi/1.24.2.1/Mon Feb 28 16:37:13 2005//TBUGZILLA-2_18_6
/relogin.cgi/1.25/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/report.cgi/1.24.2.3/Sat Mar 12 02:58:23 2005//TBUGZILLA-2_18_6
/reports.cgi/1.72.2.2/Thu May 12 02:08:34 2005//TBUGZILLA-2_18_6
/request.cgi/1.14.2.3/Sat Oct 14 21:11:08 2006//TBUGZILLA-2_18_6
/robots.txt/1.2/Wed Apr 24 18:11:00 2002//TBUGZILLA-2_18_6
/runtests.pl/1.3.2.1/Fri Sep 3 06:59:31 2004//TBUGZILLA-2_18_6
/runtests.sh/1.7/Thu Mar 27 00:06:47 2003//TBUGZILLA-2_18_6
/sanitycheck.cgi/1.72.2.5/Tue Dec 13 20:57:20 2005//TBUGZILLA-2_18_6
/show_activity.cgi/1.15/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/show_bug.cgi/1.29.2.1/Mon Oct 25 07:26:56 2004//TBUGZILLA-2_18_6
/showattachment.cgi/1.14/Mon May 5 01:15:29 2003//TBUGZILLA-2_18_6
/showdependencygraph.cgi/1.35.2.2/Sat Oct 14 21:32:36 2006//TBUGZILLA-2_18_6
/showdependencytree.cgi/1.29/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/sidebar.cgi/1.14/Sat Mar 27 03:51:44 2004//TBUGZILLA-2_18_6
/testagent.cgi/1.1.2.1/Thu Jul 22 07:02:48 2004//TBUGZILLA-2_18_6
/testserver.pl/1.1.2.3/Sun Jan 16 13:29:53 2005//TBUGZILLA-2_18_6
/token.cgi/1.26.2.1/Tue Jun 21 14:20:50 2005//TBUGZILLA-2_18_6
/userprefs.cgi/1.58.2.5/Thu May 12 01:54:08 2005//TBUGZILLA-2_18_6
/votes.cgi/1.17.2.3/Thu Jan 27 19:14:22 2005//TBUGZILLA-2_18_6
/whineatnews.pl/1.14.2.4/Fri Jul 8 02:23:41 2005//TBUGZILLA-2_18_6
/xml.cgi/1.12/Thu Mar 27 00:06:50 2003//TBUGZILLA-2_18_6
D/Bugzilla////
D/contrib////
D/css////
......
NBUGZILLA-2_18_5
NBUGZILLA-2_18_6
......@@ -140,7 +140,16 @@ elsif ($action eq "update")
validateContentType() unless $::FORM{'ispatch'};
validateIsObsolete();
validatePrivate();
# If the submitter of the attachment is not in the insidergroup,
# be sure that he cannot overwrite the private bit.
# This check must be done before calling Bugzilla::Flag*::validate(),
# because they will look at the private bit when checking permissions.
unless (UserIsInsider()) {
SendSQL("SELECT isprivate FROM attachments WHERE attach_id = $::FORM{'id'}");
$::FORM{'isprivate'} = FetchOneColumn();
}
# The order of these function calls is important, as both Flag::validate
# and FlagType::validate assume User::match_field has ensured that the values
# in the requestee fields are legitimate user email addresses.
......@@ -186,15 +195,18 @@ sub validateID
|| ThrowUserError("invalid_attach_id", { attach_id => $cgi->param($param) });
# Make sure the attachment exists in the database.
SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $attach_id");
SendSQL("SELECT bug_id, isprivate, submitter_id FROM attachments
WHERE attach_id = $attach_id");
MoreSQLData()
|| ThrowUserError("invalid_attach_id", { attach_id => $attach_id });
# Make sure the user is authorized to access this attachment's bug.
($bugid, my $isprivate) = FetchSQLData();
($bugid, my $isprivate, my $submitter_id) = FetchSQLData();
ValidateBugID($bugid);
if (($isprivate > 0 ) && Param("insidergroup") &&
!(UserInGroup(Param("insidergroup")))) {
if ($isprivate
&& (!defined Bugzilla->user || Bugzilla->user->id != $submitter_id)
&& !UserIsInsider())
{
ThrowUserError("attachment_access_denied");
}
......@@ -237,16 +249,26 @@ sub validateCanEdit
# before calling this sub
return if $::userid == 0;
# People in editbugs can edit all attachments
return if UserInGroup("editbugs");
my $dbh = Bugzilla->dbh;
my ($is_private, $submitter_id) =
$dbh->selectrow_array('SELECT isprivate, submitter_id
FROM attachments WHERE attach_id = ?',
undef, $attach_id);
# Bug 97729 - the submitter can edit their attachments
SendSQL("SELECT attach_id FROM attachments WHERE " .
"attach_id = $attach_id AND submitter_id = $::userid");
return if (defined Bugzilla->user && $submitter_id == Bugzilla->user->id);
FetchSQLData()
|| ThrowUserError("illegal_attachment_edit",
{ attach_id => $attach_id });
# Only people in the insider group can view private attachments.
if ($is_private && !UserIsInsider()) {
ThrowUserError('illegal_attachment_edit', {attach_id => $attach_id});
}
# People in editbugs can edit all attachments
return if UserInGroup("editbugs");
# If we come here, then this attachment cannot be seen by the user.
ThrowUserError("illegal_attachment_edit", { attach_id => $attach_id });
}
sub validateCanChangeAttachment
......@@ -420,6 +442,9 @@ sub validateObsolete
my ($bugid, $isobsolete, $description) = FetchSQLData();
# Check that the user can modify this attachment
validateCanEdit($attachid);
$vars->{'description'} = $description;
if ($bugid != $::FORM{'bugid'})
......@@ -433,9 +458,6 @@ sub validateObsolete
{
ThrowCodeError("attachment_already_obsolete", $vars);
}
# Check that the user can modify this attachment
validateCanEdit($attachid);
}
}
......@@ -725,10 +747,22 @@ sub diff
{
$vars->{other_patches} = [];
if ($::interdiffbin && $::diffpath) {
# Get list of attachments on this bug.
# Get the list of attachments that the user can view in this bug.
# Ignore the current patch, but select the one right before it
# chronologically.
SendSQL("SELECT attach_id, description FROM attachments WHERE bug_id = $bugid AND ispatch = 1 ORDER BY creation_ts DESC");
my $and_isprivate = '';
unless (UserIsInsider()) {
$and_isprivate = 'AND (isprivate = 0';
if (defined Bugzilla->user) {
$and_isprivate .= ' OR submitter_id = ' . Bugzilla->user->id;
}
$and_isprivate .= ')';
}
SendSQL("SELECT attach_id, description FROM attachments
WHERE bug_id = $bugid AND ispatch = 1 $and_isprivate
ORDER BY creation_ts DESC");
my $select_next_patch = 0;
while (my ($other_id, $other_desc) = FetchSQLData()) {
if ($other_id eq $::FORM{'id'}) {
......@@ -757,10 +791,18 @@ sub viewall
# Retrieve the attachments from the database and write them into an array
# of hashes where each hash represents one attachment.
my $privacy = "";
if (Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) {
$privacy = "AND isprivate < 1 ";
# By default, private attachments are not accessible, unless the user
# is in the insider group or submitted the attachment.
my $privacy = '';