diff options
author | bbaetz%student.usyd.edu.au <> | 2002-02-01 08:51:38 +0100 |
---|---|---|
committer | bbaetz%student.usyd.edu.au <> | 2002-02-01 08:51:38 +0100 |
commit | 8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2 (patch) | |
tree | fe360cb184a1cbe80a460d2d943fc36da49e9563 | |
parent | 90e939552558efba046fc89c08eb4cc234d47f2a (diff) | |
download | bugzilla-8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2.tar.gz bugzilla-8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2.tar.xz |
Bug 122744 - charting fails taint checks
r=daa@distributed.net, gerv
-rwxr-xr-x | reports.cgi | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/reports.cgi b/reports.cgi index 0bdc062d1..7e97861fb 100755 --- a/reports.cgi +++ b/reports.cgi @@ -124,6 +124,10 @@ if (! defined $FORM{'product'}) { || DisplayError("You entered an invalid output type.") && exit; + # We've checked that the product exists, and that the user can see it + # This means that is OK to detaint + trick_taint($FORM{'product'}); + # Output appropriate HTTP response headers print "Content-type: text/html\n"; # Changing attachment to inline to resolve 46897 - zach@zachlipton.com @@ -516,6 +520,19 @@ sub chart_image_type { sub chart_image_name { my ($data_file, $type) = @_; + # This routine generates a filename from the requested fields. The problem + # is that we have to check the safety of doing this. We can't just require + # that the fields exist, because what stats were collected could change + # over time (eg by changing the resolutions available) + # Instead, just require that each field name consists only of letters + # and number + + if ($FORM{'datasets'} !~ m/[A-Za-z0-9:]/) { + die "Invalid datasets $FORM{'datasets'}"; + } + # Since we pass the tests, consider it OK + trick_taint($FORM{'datasets'}); + # Cache charts by generating a unique filename based on what they # show. Charts should be deleted by collectstats.pl nightly. my $id = join ("_", split (":", $FORM{datasets})); |