Fix for bug 178800: fixes taint failure in graphical charts with Perl 5.6.0

r=gerv
a=justdave

2 files changed, 18 insertions, 0 deletions

diff --git a/report.cgi b/report.cgi
index 4c5952949..91d5074bc 100755
--- a/report.cgi
+++ b/report.cgi
@@ -109,6 +109,17 @@ $columns{'target_milestone'} = "bugs.target_milestone";
 # so that we always select 3 items in the query.
 $columns{''}                 = "42217354";
 
+# Validate the values in the axis fields or throw an error.
+!$row_field 
+  || ($columns{$row_field} && trick_taint($row_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"x", val=>$row_field });
+!$col_field 
+  || ($columns{$col_field} && trick_taint($col_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"y", val=>$col_field });
+!$tbl_field 
+  || ($columns{$tbl_field} && trick_taint($tbl_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"z", val=>$tbl_field });
+
 my @axis_fields = ($row_field, $col_field, $tbl_field);
 
 my @selectnames = map($columns{$_}, @axis_fields);
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 42c07ab2d..d23234adc 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -176,6 +176,13 @@
   [% ELSIF error == "request_queue_group_invalid" %]
     The group field <em>[% group FILTER html %]</em> is invalid.
 
+  [% ELSIF error == "report_axis_invalid" %]
+    <em>[% variables.val FILTER html %]</em> is not a valid value for 
+    [%+ IF    variables.fld == "x" %]the horizontal axis
+    [%+ ELSIF variables.fld == "y" %]the vertical axis
+    [%+ ELSIF variables.fld == "z" %]the multiple tables/images
+    [%+ ELSE %]a report axis[% END %] field.
+
   [% ELSIF error == "token_generation_error" %]
     Something is seriously wrong with the token generation system.