Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-03-04 15:51:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Users should only be able to view attachments if they can view the bug that the file is attached to (bug 70189)

Browse Source 
r=tara
This commit is contained in:
jake%acutex.net 2001-06-06 18:36:25 +00:00
parent 27541d4006
commit 53dba83bd9
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
webtools/bugzilla/showattachment.cgi
View File

@ -19,6 +19,7 @@
# Rights Reserved.
#
# Contributor(s): Terry Weissman <terry@mozilla.org>
# Jacob Steenhagen <jake@acutex.net>
use diagnostics;
use strict;
@ -27,17 +28,24 @@ require "CGI.pl";
ConnectToDatabase();
my @row;
if (defined $::FORM{'attach_id'}) {
SendSQL("select mimetype, thedata from attachments where attach_id =".SqlQuote($::FORM{'attach_id'}));
@row = FetchSQLData();
}
if (!@row) {
print "Content-type: text/html\n\n";
PutHeader("Bad ID");
print "Please hit back and try again.\n";
quietly_check_login();
if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
DisplayError("Attachment ID should be numeric.");
exit;
}
print qq{Content-type: $row[0]\n\n$row[1]};
SendSQL("select bug_id, mimetype, thedata from attachments where attach_id = $::FORM{'attach_id'}");
my ($bug_id, $mimetype, $thedata) = FetchSQLData();
if (!$bug_id) {
DisplayError("Attachment $::FORM{attach_id} does not exist.");
exit;
}
# Make sure the user can see the bug to which this file is attached
ValidateBugID($bug_id);
print qq{Content-type: $mimetype\n\n$thedata};