diff options
| author |   lpsolit%gmail.com <> | 2005-10-01 05:25:49 +0000 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2005-10-01 05:25:49 +0000 |
| commit | 88d7ced2b3871564e7e84dd8ec3be5bd39e8f999 (patch) | |
| tree | 0e3a81644b777f8850b0e5c38038a1b875272560 /Bugzilla | |
| parent | Bug 308256: [SECURITY] config.cgi doesn't check Param('requirelogin') - Patch... (diff) | |
| download | bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.gz bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.tar.bz2 bugzilla-88d7ced2b3871564e7e84dd8ec3be5bd39e8f999.zip | |
Bug 308662: [SECURITY] User matching bypasses 'usevisibilitygroups' restrictions - Patch by Joel Peshkin <bugreport@peshkin.net> r=LpSolit a=justdave
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/User.pm | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 1abc16d35..3fca325b6 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -711,10 +711,10 @@ sub match { if (&::Param('usevisibilitygroups')) { $query .= ", user_group_map"; } - $query .= " WHERE " . + $query .= " WHERE (" . $dbh->sql_position($sqlstr, 'LOWER(login_name)') . " > 0" . " OR " . - $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0"; + $dbh->sql_position($sqlstr, 'LOWER(realname)') . " > 0)"; if (&::Param('usevisibilitygroups')) { $query .= " AND user_group_map.user_id = userid" . " AND isbless = 0" . |