[Fusionforge-commits] r16200 - in branches: Branch_5_1/src/common/include Branch_5_1/src/debian Branch_5_1/src/www/include Branch_5_1/src/www/top Branch_5_2/src/common/include Branch_5_2/src/debian Branch_5_2/src/www/include Branch_5_2/src/www/top wheezy/common/include wheezy/debian wheezy/www/include wheezy/www/top

Thorsten Glaser mirabilos at fusionforge.org
Mon Sep 3 14:09:32 CEST 2012


Author: mirabilos
Date: 2012-09-03 14:09:31 +0200 (Mon, 03 Sep 2012)
New Revision: 16200

Modified:
   branches/Branch_5_1/src/common/include/Stats.class.php
   branches/Branch_5_1/src/debian/changelog
   branches/Branch_5_1/src/www/include/user_home.php
   branches/Branch_5_1/src/www/top/toplist.php
   branches/Branch_5_2/src/common/include/Stats.class.php
   branches/Branch_5_2/src/debian/changelog
   branches/Branch_5_2/src/www/include/user_home.php
   branches/Branch_5_2/src/www/top/toplist.php
   branches/wheezy/common/include/Stats.class.php
   branches/wheezy/debian/changelog
   branches/wheezy/www/include/user_home.php
   branches/wheezy/www/top/toplist.php
Log:
SECURITY: Do not disclose inaccessible groups on user_home/toplist


Modified: branches/Branch_5_1/src/common/include/Stats.class.php
===================================================================
--- branches/Branch_5_1/src/common/include/Stats.class.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_1/src/common/include/Stats.class.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -1,10 +1,12 @@
-<?php   
+<?php
 /**
  * FusionForge statistics
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002, GForge, LLC
  * Copyright 2009, Roland Mas
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -77,7 +79,7 @@
 	* @return a resultset of unix_group_name, group_name, items
 	*/
 	function getTopMessagesPosted() {
-		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items, g.group_id FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -89,11 +91,11 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopPageViews() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC', 
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items, g.group_id FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
-	
+
 	/**
 	* Returns a resultset containing group_name, unix_group_name, and items - the count of
 	* the downloads for that group
@@ -101,7 +103,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopDownloads() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items, g.group_id FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -111,5 +113,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/Branch_5_1/src/debian/changelog
===================================================================
--- branches/Branch_5_1/src/debian/changelog	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_1/src/debian/changelog	2012-09-03 12:09:31 UTC (rev 16200)
@@ -6,8 +6,9 @@
 
   [ Thorsten Glaser ]
   * SECURITY: Upon user deletion, remove their Unix account as well
+  * SECURITY: Do not disclose inaccessible groups on user_home/toplist
 
- -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 11:51:57 +0200
+ -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 14:07:16 +0200
 
 fusionforge (5.1.1-8) unstable; urgency=low
 

Modified: branches/Branch_5_1/src/www/include/user_home.php
===================================================================
--- branches/Branch_5_1/src/www/include/user_home.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_1/src/www/include/user_home.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -2,10 +2,11 @@
 /**
  * Developer Info Page
  *
- * Copyright 1999-2001 (c) VA Linux Systems 
+ * Copyright 1999-2001 (c) VA Linux Systems
  * Copyright 2010, FusionForge Team
  * Copyright (C) 2011 Alain Peyrat - Alcatel-Lucent
- * http://fusionforge.org
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -42,7 +43,7 @@
 	<td>
 
 <table class="my-layout-table" id="user-profile-personal-info">
-<tr> 
+<tr>
 	<td>
 		<?php echo _('User Id:') ?>
 	</td>
@@ -67,8 +68,8 @@
 
 <tr>
 	<td><?php echo _('Login name:') ?></td>
-	<td><strong><span property="sioc:name"><?php 
-		print $user->getUnixName(); 
+	<td><strong><span property="sioc:name"><?php
+		print $user->getUnixName();
 		?></span></strong></td>
 </tr>
 
@@ -77,9 +78,9 @@
 	<td>
 		<div rev="foaf:account">
 			<div about="#me" typeof="foaf:Person">
-				<strong><span property="foaf:name"><?php 
+				<strong><span property="foaf:name"><?php
 				$user_title = $user->getTitle();
-				print ($user_title ? $user_title .' ' :''). $user->getRealName(); 
+				print ($user_title ? $user_title .' ' :''). $user->getRealName();
 				?></span></strong>
 			</div>
 		</div>
@@ -90,14 +91,14 @@
 <tr>
 	<td><?php echo _('Email Address:') ?>: </td>
 	<td>
-	<strong><?php 
+	<strong><?php
 		$user_mail=$user->getEmail();
 		$user_mailsha1=$user->getSha1Email();
 		// Removed for privacy reasons
 		//print '<span property="sioc:email" content="'. $user_mail .'">';
 		print '<span property="sioc:email_sha1" content="'. $user_mailsha1 .'">';
-		echo util_make_link ('/sendmessage.php?touser='.$user_id, str_replace('@',' @nospam@ ',$user_mail)); 
-		echo '</span>'; 
+		echo util_make_link ('/sendmessage.php?touser='.$user_id, str_replace('@',' @nospam@ ',$user_mail));
+		echo '</span>';
 	?></strong>
 	</td>
 </tr>
@@ -120,10 +121,10 @@
 <?php if ($user->getPhone()) { ?>
 <tr>
 	<td><?php echo _('Phone:'); ?></td>
-	<td><?php 
+	<td><?php
 //print '<div property="foaf:phone" content="'.$user->getPhone().'">';
-echo $user->getPhone(); 
-//echo '</div>'; 
+echo $user->getPhone();
+//echo '</div>';
 ?></td>
 </tr>
 <?php } ?>
@@ -164,7 +165,7 @@
 
 if (forge_get_config('use_diary')) {
 		echo $HTML->boxMiddle(_('Diary and Notes'), _('Diary and Notes'));
-	 
+
 		/*
 			Get their diary information
 		*/
@@ -184,7 +185,7 @@
 		echo '</p>';
 		$hookparams['user_id'] = $user_id;
 		plugin_hook("user_personal_links",$hookparams);
-	}	
+	}
 	?>
 
 
@@ -205,14 +206,18 @@
 	<?php
 } else { // endif no groups
 	print "<p>"._('This developer is a member of the following projects:')."</p>\n";
-	
+
 	foreach ($projects as $p) {
+		if (!forge_check_perm('project_read', $p->getID())) {
+			continue;
+		}
+
 		$project_link = util_make_link_g ($p->getUnixName(),$p->getID(),$p->getPublicName());
 		$project_uri = util_make_url_g ($p->getUnixName(),$p->getID());
-		// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/ 
+		// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/
 		$usergroup_uri = $project_uri .'members/';
-		
-		
+
+
 		print '<div rel="sioc:member_of">'."\n"
 			.'<div about="'. $usergroup_uri .'" typeof="sioc:UserGroup">'."\n"
 			.'<div rel="sioc:usergroup_of">'."\n"
@@ -228,17 +233,17 @@
 				$sioc_has_function_close .= "</div>";
 			}
 		}
-		
+
 		print ('<br />' . $project_link .' ('.htmlspecialchars (implode (', ', $role_names)).')');
 		print "\n";
-		
+
 		if (forge_check_perm_for_user ($user, 'project_admin', $p->getID())) {
 			print '<span rev="doap:maintainer" resource="#me"></span>';
 		}
 		else {
 			print '<span rev="doap:developer" resource="#me"></span>';
 		}
-		
+
 		echo $sioc_has_function_close."\n";  // sioc:has_function
 		echo "</div>\n";  // sioc:Space .../projects/A_PROJECT/
 		echo "</div>\n"; // sioc:usergroup_of
@@ -250,9 +255,9 @@
 
 echo "</div>\n"; // end of about=""
 
-$me = session_get_user(); 
+$me = session_get_user();
 if (forge_get_config('use_ratings')) {
-if ($user->usesRatings() && (!$me || $me->usesRatings())) { 
+if ($user->usesRatings() && (!$me || $me->usesRatings())) {
 
 print "<p>";
 print _('If you are familiar with this user, please take a moment to rate him/her on the following criteria. Keep in mind, that your rating will be visible to the user and others.');
@@ -281,7 +286,7 @@
 <?php }
       }
 
-echo $HTML->boxBottom(); 
+echo $HTML->boxBottom();
 
 $HTML->footer(array());
 
@@ -289,5 +294,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/Branch_5_1/src/www/top/toplist.php
===================================================================
--- branches/Branch_5_1/src/www/top/toplist.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_1/src/www/top/toplist.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -5,7 +5,8 @@
  *
  * Copyright 1999-2000 (c) The SourceForge Crew
  * Copyright 2002-2004 (c) GForge Team
- * http://fusionforge.org/
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -32,6 +33,7 @@
 $stats = new Stats();
 
 if ($type == 'downloads_week') {
+	$res_top = "oops… no function for this in class Stats";
 	$title = _('Top Downloads in the Past 7 Days');
 	$column1 = _('Downloads');
 }
@@ -47,6 +49,7 @@
 }
 // default to downloads
 else {
+	$type = 'downloads';
 	$res_top = $stats->getTopDownloads();
 	$title = _('Top Downloads');
 	$column1 = _('Downloads');
@@ -61,9 +64,17 @@
 $display_rank = 0;
 $i=0;
 while ($row_top = db_fetch_array($res_top)) {
-	if (!forge_check_perm ('project_read', $row_top['group_id']) && forge_check_perm('frs', $row_new['group_id'], 'read_public') ) {
-		continue ;
+	if (!forge_check_perm('project_read', $row_top['group_id'])) {
+		continue;
 	}
+	if (($type == 'downloads_week' || $type == 'downloads') && 0 &&
+	    !forge_check_perm('frs', $row_new['group_id'], 'read_public')) {
+		continue;
+	}
+	/*-
+	 * pageviews_proj: project_read probably enough
+	 * forumposts_week: forum read? no idea…
+	 */
 	$i++;
 	if ($row_top["items"] == 0) {
 		continue;
@@ -85,5 +96,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/Branch_5_2/src/common/include/Stats.class.php
===================================================================
--- branches/Branch_5_2/src/common/include/Stats.class.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_2/src/common/include/Stats.class.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -5,6 +5,8 @@
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2002, GForge, LLC
  * Copyright 2009, Roland Mas
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -84,7 +86,7 @@
 	* @return a resultset of unix_group_name, group_name, items
 	*/
 	function getTopMessagesPosted() {
-		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items, g.group_id FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -96,7 +98,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopPageViews() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items, g.group_id FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -108,7 +110,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopDownloads() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items, g.group_id FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -118,5 +120,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/Branch_5_2/src/debian/changelog
===================================================================
--- branches/Branch_5_2/src/debian/changelog	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_2/src/debian/changelog	2012-09-03 12:09:31 UTC (rev 16200)
@@ -17,8 +17,9 @@
   * Check image upload is enabled before trying to do so (Closes: #679521)
   * Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
   * SECURITY: Upon user deletion, remove their Unix account as well
+  * SECURITY: Do not disclose inaccessible groups on user_home/toplist
 
- -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 11:55:51 +0200
+ -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 14:07:16 +0200
 
 fusionforge (5.2~rc1wheezy1~exp1) experimental; urgency=low
 

Modified: branches/Branch_5_2/src/www/include/user_home.php
===================================================================
--- branches/Branch_5_2/src/www/include/user_home.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_2/src/www/include/user_home.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -6,7 +6,8 @@
  * Copyright 2010, FusionForge Team
  * Copyright (C) 2011 Alain Peyrat - Alcatel-Lucent
  * Copyright 2012, Franck Villaume - TrivialDev
- * http://fusionforge.org
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -36,7 +37,7 @@
 $title = _('User Profile');
 $HTML->header(array('title'=>$title));
 
-echo $HTML->boxTop(_('Personal Information'), _('Personal Information')); 
+echo $HTML->boxTop(_('Personal Information'), _('Personal Information'));
 
 ?>
 
@@ -44,9 +45,9 @@
 
 
 	<?php
-	
+
 	echo user_personal_information($user);
-	
+
 	if (forge_get_config('use_ratings')) {
 		echo $HTML->boxMiddle(_('Peer Rating'), _('Peer Rating'));
         echo '<table class="my-layout-table" id="user-profile-rating">';
@@ -105,6 +106,10 @@
 	print "<p>"._('This developer is a member of the following projects:')."</p>\n";
 
 	foreach ($projects as $p) {
+		if (!forge_check_perm('project_read', $p->getID())) {
+			continue;
+		}
+
 		$display = 0;
 		if (!$p->isPublic()) {
 			$currentUser = session_get_user();
@@ -202,5 +207,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/Branch_5_2/src/www/top/toplist.php
===================================================================
--- branches/Branch_5_2/src/www/top/toplist.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/Branch_5_2/src/www/top/toplist.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -5,7 +5,8 @@
  *
  * Copyright 1999-2000 (c) The SourceForge Crew
  * Copyright 2002-2004 (c) GForge Team
- * http://fusionforge.org/
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -32,6 +33,7 @@
 $stats = new Stats();
 
 if ($type == 'downloads_week') {
+	$res_top = "oops… no function for this in class Stats";
 	$title = _('Top Downloads in the Past 7 Days');
 	$column1 = _('Downloads');
 }
@@ -47,6 +49,7 @@
 }
 // default to downloads
 else {
+	$type = 'downloads';
 	$res_top = $stats->getTopDownloads();
 	$title = _('Top Downloads');
 	$column1 = _('Downloads');
@@ -61,9 +64,17 @@
 $display_rank = 0;
 $i=0;
 while ($row_top = db_fetch_array($res_top)) {
-	if (!forge_check_perm ('project_read', $row_top['group_id']) && forge_check_perm('frs', $row_new['group_id'], 'read_public') ) {
-		continue ;
+	if (!forge_check_perm('project_read', $row_top['group_id'])) {
+		continue;
 	}
+	if (($type == 'downloads_week' || $type == 'downloads') && 0 &&
+	    !forge_check_perm('frs', $row_new['group_id'], 'read_public')) {
+		continue;
+	}
+	/*-
+	 * pageviews_proj: project_read probably enough
+	 * forumposts_week: forum read? no idea…
+	 */
 	$i++;
 	if ($row_top["items"] == 0) {
 		continue;
@@ -85,5 +96,3 @@
 // mode: php
 // c-file-style: "bsd"
 // End:
-
-?>

Modified: branches/wheezy/common/include/Stats.class.php
===================================================================
--- branches/wheezy/common/include/Stats.class.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/wheezy/common/include/Stats.class.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -84,7 +84,7 @@
 	* @return a resultset of unix_group_name, group_name, items
 	*/
 	function getTopMessagesPosted() {
-		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items, g.group_id FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -96,7 +96,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopPageViews() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items, g.group_id FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -108,7 +108,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopDownloads() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items, g.group_id FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}

Modified: branches/wheezy/debian/changelog
===================================================================
--- branches/wheezy/debian/changelog	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/wheezy/debian/changelog	2012-09-03 12:09:31 UTC (rev 16200)
@@ -12,8 +12,9 @@
   * Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
   * Remove minified ECMAscript and binary *.jar from the source
   * SECURITY: Upon user deletion, remove their Unix account as well
+  * SECURITY: Do not disclose inaccessible groups on user_home/toplist
 
- -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 11:55:51 +0200
+ -- Thorsten Glaser <tg at mirbsd.de>  Mon, 03 Sep 2012 14:07:16 +0200
 
 fusionforge (5.2~rc1-5) unstable; urgency=low
 

Modified: branches/wheezy/www/include/user_home.php
===================================================================
--- branches/wheezy/www/include/user_home.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/wheezy/www/include/user_home.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -104,6 +104,10 @@
 	print "<p>"._('This developer is a member of the following projects:')."</p>\n";
 
 	foreach ($projects as $p) {
+		if (!forge_check_perm('project_read', $p->getID())) {
+			continue;
+		}
+
 		$project_link = util_make_link_g ($p->getUnixName(),$p->getID(),$p->getPublicName());
 		$project_uri = util_make_url_g ($p->getUnixName(),$p->getID());
 		// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/

Modified: branches/wheezy/www/top/toplist.php
===================================================================
--- branches/wheezy/www/top/toplist.php	2012-09-03 11:17:58 UTC (rev 16199)
+++ branches/wheezy/www/top/toplist.php	2012-09-03 12:09:31 UTC (rev 16200)
@@ -47,6 +47,7 @@
 }
 // default to downloads
 else {
+	$type = 'downloads';
 	$res_top = $stats->getTopDownloads();
 	$title = _('Top Downloads');
 	$column1 = _('Downloads');
@@ -61,9 +62,17 @@
 $display_rank = 0;
 $i=0;
 while ($row_top = db_fetch_array($res_top)) {
-	if (!forge_check_perm ('project_read', $row_top['group_id']) && forge_check_perm('frs', $row_new['group_id'], 'read_public') ) {
-		continue ;
+	if (!forge_check_perm('project_read', $row_top['group_id'])) {
+		continue;
 	}
+	if (($type == 'downloads_week' || $type == 'downloads') && 0 &&
+	    !forge_check_perm('frs', $row_new['group_id'], 'read_public')) {
+		continue;
+	}
+	/*-
+	 * pageviews_proj: project_read probably enough
+	 * forumposts_week: forum read? no idea…
+	 */
 	$i++;
 	if ($row_top["items"] == 0) {
 		continue;




More information about the Fusionforge-commits mailing list