summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbbaetz%student.usyd.edu.au <>2002-02-01 08:51:38 +0100
committerbbaetz%student.usyd.edu.au <>2002-02-01 08:51:38 +0100
commit8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2 (patch)
treefe360cb184a1cbe80a460d2d943fc36da49e9563
parent90e939552558efba046fc89c08eb4cc234d47f2a (diff)
downloadbugzilla-8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2.tar.gz
bugzilla-8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2.tar.xz
Bug 122744 - charting fails taint checks
r=daa@distributed.net, gerv
-rwxr-xr-xreports.cgi17
1 files changed, 17 insertions, 0 deletions
diff --git a/reports.cgi b/reports.cgi
index 0bdc062d1..7e97861fb 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -124,6 +124,10 @@ if (! defined $FORM{'product'}) {
|| DisplayError("You entered an invalid output type.")
&& exit;
+ # We've checked that the product exists, and that the user can see it
+ # This means that is OK to detaint
+ trick_taint($FORM{'product'});
+
# Output appropriate HTTP response headers
print "Content-type: text/html\n";
# Changing attachment to inline to resolve 46897 - zach@zachlipton.com
@@ -516,6 +520,19 @@ sub chart_image_type {
sub chart_image_name {
my ($data_file, $type) = @_;
+ # This routine generates a filename from the requested fields. The problem
+ # is that we have to check the safety of doing this. We can't just require
+ # that the fields exist, because what stats were collected could change
+ # over time (eg by changing the resolutions available)
+ # Instead, just require that each field name consists only of letters
+ # and number
+
+ if ($FORM{'datasets'} !~ m/[A-Za-z0-9:]/) {
+ die "Invalid datasets $FORM{'datasets'}";
+ }
+ # Since we pass the tests, consider it OK
+ trick_taint($FORM{'datasets'});
+
# Cache charts by generating a unique filename based on what they
# show. Charts should be deleted by collectstats.pl nightly.
my $id = join ("_", split (":", $FORM{datasets}));