diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:21:35 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:21:35 +0100 |
| commit | 7a8e966a67b51178f688d7fc625281af351e9ee2 (patch) | |
| tree | 4d75e4e630947f724d8290ee78fdc35925a592b8 | |
| parent | Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product... (diff) | |
| download | bugzilla-7a8e966a67b51178f688d7fc625281af351e9ee2.tar.gz bugzilla-7a8e966a67b51178f688d7fc625281af351e9ee2.tar.bz2 bugzilla-7a8e966a67b51178f688d7fc625281af351e9ee2.zip | |
Bug 802204 (CVE-2012-4197): [SECURITY] Marking an attachment you cannot see as obsolete can disclose its description
r=gerv a=LpSolit
| -rw-r--r-- | Bugzilla/Attachment.pm | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 8f296d263..e7e707b98 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -765,11 +765,8 @@ sub validate_obsolete { $attachment->validate_can_edit($bug->product_id) || ThrowUserError('illegal_attachment_edit', { attach_id => $attachment->id }); - $vars->{'description'} = $attachment->description; - if ($attachment->bug_id != $bug->bug_id) { $vars->{'my_bug_id'} = $bug->bug_id; - $vars->{'attach_bug_id'} = $attachment->bug_id; ThrowUserError('mismatched_bug_ids_on_obsolete', $vars); } |