diff options
| author | dmose%mozilla.org <> | 1999-12-03 08:21:40 +0100 |
|---|---|---|
| committer | dmose%mozilla.org <> | 1999-12-03 08:21:40 +0100 |
| commit | 054be7c4ef0b5ace9155df00654b48fafd137a3a (patch) | |
| tree | 58cb8b7e3db887e4c1dc69ead41ef0a6b30c603a | |
| parent | 1e216d4eb54fcb827f6910d578f54d92839147a1 (diff) | |
| download | bugzilla-054be7c4ef0b5ace9155df00654b48fafd137a3a.tar.gz bugzilla-054be7c4ef0b5ace9155df00654b48fafd137a3a.tar.xz | |
a bug fix or two and a whole bunch of sanity-checking of form submissions stuff
| -rw-r--r-- | CGI.pl | 59 | ||||
| -rwxr-xr-x | buglist.cgi | 3 | ||||
| -rw-r--r-- | defparams.pl | 10 | ||||
| -rwxr-xr-x | post_bug.cgi | 22 | ||||
| -rwxr-xr-x | process_bug.cgi | 81 |
5 files changed, 163 insertions, 12 deletions
@@ -18,6 +18,7 @@ # Rights Reserved. # # Contributor(s): Terry Weissman <terry@mozilla.org> +# Dan Mosedale <dmose@mozilla.org> # Contains some global routines used throughout the CGI scripts of Bugzilla. @@ -169,10 +170,56 @@ sub ProcessMultipartFormFields { $::FORM{$i} =~ s/\r$//; } } - +# check and see if a given field exists, is non-empty, and is set to a +# legal value. assume a browser bug and abort appropriately if not. +# if $legalsRef is not passed, just check to make sure the value exists and +# is non-NULL +# +sub CheckFormField (\%$;\@) { + my ($formRef, # a reference to the form to check (a hash) + $fieldname, # the fieldname to check + $legalsRef # (optional) ref to a list of legal values + ) = @_; + + if ( !defined $formRef->{$fieldname} || + trim($formRef->{$fieldname}) eq "" || + (defined($legalsRef) && + lsearch($legalsRef, $formRef->{$fieldname})<0) ){ + + print "A legal $fieldname was not set; "; + print Param("browserbugmessage"); + exit 0; + } +} +# check and see if a given field is defined, and abort if not +# +sub CheckFormFieldDefined (\%$) { + my ($formRef, # a reference to the form to check (a hash) + $fieldname, # the fieldname to check + ) = @_; + + if ( !defined $formRef->{$fieldname} ) { + print "$fieldname was not defined; "; + print Param("browserbugmessage"); + exit 0; + } +} + +# check and see if a given string actually represents a positive +# integer, and abort if not. +# +sub CheckPosInt($) { + my ($number) = @_; # the fieldname to check + + if ( $number !~ /^[1-9][0-9]*$/ ) { + print "Received string \"$number\" when postive integer expected; "; + print Param("browserbugmessage"); + exit 0; + } +} sub FormData { my ($field) = (@_); @@ -247,7 +294,17 @@ sub make_options { } } if (!$found && $default ne "") { + if ( Param("strictvaluechecks") && + ($default ne $::dontchange) && ($default ne "-All-") ) { + print "Possible bug database corruption has been detected. " . + "Please send mail to " . Param("maintainer") . " with " . + "details of what you were doing when this message " . + "appeared. Thank you.\n"; + exit 0; + + } else { $popup .= "<OPTION SELECTED>$default"; + } } return $popup; } diff --git a/buglist.cgi b/buglist.cgi index c273556c0..25343bf6e 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -19,6 +19,7 @@ # Rights Reserved. # # Contributor(s): Terry Weissman <terry@mozilla.org> +# Dan Mosedale <dmose@mozilla.org> use diagnostics; use strict; @@ -755,7 +756,7 @@ document.write(\" <input type=button value=\\\"Uncheck All\\\" onclick=\\\"SetCh <BR> <TEXTAREA WRAP=HARD NAME=comment ROWS=5 COLS=80></TEXTAREA><BR>"; -if ($::usergroupset ne '0' && $buggroupset =~ /^\d*$/) { +if ($::usergroupset ne '0' && $buggroupset =~ /^\d+$/) { SendSQL("select bit, description, (bit & $buggroupset != 0) from groups where bit & $::usergroupset != 0 and isbuggroup != 0 order by bit"); while (MoreSQLData()) { my ($bit, $description, $ison) = (FetchSQLData()); diff --git a/defparams.pl b/defparams.pl index bb266d37a..f035b5761 100644 --- a/defparams.pl +++ b/defparams.pl @@ -19,6 +19,7 @@ # # Contributor(s): Terry Weissman <terry@mozilla.org> # Dawn Endico <endico@mozilla.org> +# Dan Mosedale <dmose@mozilla.org> # This file defines all the parameters that we have a GUI to edit within @@ -368,7 +369,14 @@ DefParam("allowbugdeletion", "b", 0); +DefParam("strictvaluechecks", + "Do stricter integrity checking on both form submission values and values read in from the database.", + "b", + 0); - +DefParam("browserbugmessage", + "If strictvaluechecks is on, and the bugzilla gets unexpected data from the browser, in addition to displaying the cause of the problem, it will output this HTML as well.", + "l", + "this may indicate a bug in your browser.\n"); 1; diff --git a/post_bug.cgi b/post_bug.cgi index 668baf2e7..ac8dd718d 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -19,7 +19,7 @@ # Rights Reserved. # # Contributor(s): Terry Weissman <terry@mozilla.org> - +# Dan Mosedale <dmose@mozilla.org> use diagnostics; use strict; @@ -63,7 +63,6 @@ if (!defined $::FORM{'component'} || $::FORM{'component'} eq "") { print "and choose a component.\n"; exit 0 } - if (!defined $::FORM{'short_desc'} || trim($::FORM{'short_desc'}) eq "") { print "You must enter a summary for this bug. Please hit the\n"; @@ -71,6 +70,22 @@ if (!defined $::FORM{'short_desc'} || trim($::FORM{'short_desc'}) eq "") { exit; } +if ( Param("strictvaluechecks") ) { + GetVersionTable(); + CheckFormField(\%::FORM, 'reporter'); + CheckFormField(\%::FORM, 'product', \@::legal_product); + CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}}); + CheckFormField(\%::FORM, 'rep_platform', \@::legal_platform); + CheckFormField(\%::FORM, 'bug_severity', \@::legal_severity); + CheckFormField(\%::FORM, 'priority', \@::legal_priority); + CheckFormField(\%::FORM, 'op_sys', \@::legal_opsys); + CheckFormFieldDefined(\%::FORM, 'assigned_to'); + CheckFormField(\%::FORM, 'bug_status', \@::legal_bug_status); + CheckFormFieldDefined(\%::FORM, 'bug_file_loc'); + CheckFormField(\%::FORM, 'component', + \@{$::components{$::FORM{'product'}}}); + CheckFormFieldDefined(\%::FORM, 'comment'); +} my $forceAssignedOK = 0; if ($::FORM{'assigned_to'} eq "") { @@ -87,8 +102,7 @@ $::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'}); my @bug_fields = ("reporter", "product", "version", "rep_platform", "bug_severity", "priority", "op_sys", "assigned_to", - "bug_status", "bug_file_loc", "short_desc", "component", - "status_whiteboard", "target_milestone"); + "bug_status", "bug_file_loc", "short_desc", "component"); if (Param("useqacontact")) { SendSQL("select initialqacontact from components where program=" . diff --git a/process_bug.cgi b/process_bug.cgi index 4bd800f1e..761783a92 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -19,6 +19,7 @@ # Rights Reserved. # # Contributor(s): Terry Weissman <terry@mozilla.org> +# Dan Mosedale <dmose@mozilla.org> use diagnostics; use strict; @@ -39,8 +40,26 @@ PutHeader ("Bug processed"); GetVersionTable(); +if ( Param("strictvaluechecks") ) { + CheckFormFieldDefined(\%::FORM, 'product'); + CheckFormFieldDefined(\%::FORM, 'version'); + CheckFormFieldDefined(\%::FORM, 'component'); +} + if ($::FORM{'product'} ne $::dontchange) { + if ( Param("strictvaluechecks") ) { + CheckFormField(\%::FORM, 'product', \@::legal_product); + } my $prod = $::FORM{'product'}; + + # note that when this script is called from buglist.cgi (rather + # than show_bug.cgi), it's possible that the product will be changed + # but that the version and/or component will be set to + # "--dont_change--" but still happen to be correct. in this case, + # the if statement will incorrectly trigger anyway. this is a + # pretty weird case, and not terribly unreasonable behavior, but + # worthy of a comment, perhaps. + # my $vok = lsearch($::versions{$prod}, $::FORM{'version'}) >= 0; my $cok = lsearch($::components{$prod}, $::FORM{'component'}) >= 0; if (!$vok || !$cok) { @@ -79,10 +98,36 @@ if ($::FORM{'product'} ne $::dontchange) { my @idlist; if (defined $::FORM{'id'}) { + + # since this means that we were called from show_bug.cgi, now is a good + # time to do a whole bunch of error checking that can't easily happen when + # we've been called from buglist.cgi, because buglist.cgi only tweaks + # values that have been changed instead of submitting all the new values. + # (XXX those error checks need to happen too, but implementing them + # is more work in the current architecture of this script...) + # + if ( Param('strictvaluechecks') ) { + CheckFormField(\%::FORM, 'rep_platform', \@::legal_platform); + CheckFormField(\%::FORM, 'priority', \@::legal_priority); + CheckFormField(\%::FORM, 'bug_severity', \@::legal_severity); + CheckFormField(\%::FORM, 'component', + \@{$::components{$::FORM{'product'}}}); + CheckFormFieldDefined(\%::FORM, 'bug_file_loc'); + CheckFormFieldDefined(\%::FORM, 'short_desc'); + CheckFormField(\%::FORM, 'product', \@::legal_product); + CheckFormField(\%::FORM, 'version', + \@{$::versions{$::FORM{'product'}}}); + CheckFormField(\%::FORM, 'op_sys', \@::legal_opsys); + CheckFormFieldDefined(\%::FORM, 'longdesclength'); + CheckPosInt($::FORM{'id'}); + } push @idlist, $::FORM{'id'}; } else { foreach my $i (keys %::FORM) { if ($i =~ /^id_/) { + if ( Param('strictvaluechecks') ) { + CheckPosInt(substr($i, 3)); + } push @idlist, substr($i, 3); } } @@ -92,6 +137,8 @@ if (!defined $::FORM{'who'}) { $::FORM{'who'} = $::COOKIE{'Bugzilla_login'}; } +# the common updates to all bugs in @idlist start here +# print "<TITLE>Update Bug " . join(" ", @idlist) . "</TITLE>\n"; if (defined $::FORM{'id'}) { navigation_header(); @@ -138,10 +185,9 @@ foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) { } } - -foreach my $field ("rep_platform", "priority", "bug_severity", "url", +foreach my $field ("rep_platform", "priority", "bug_severity", "summary", "component", "bug_file_loc", "short_desc", - "product", "version", "component", "op_sys", + "product", "version", "op_sys", "target_milestone", "status_whiteboard") { if (defined $::FORM{$field}) { if ($::FORM{$field} ne $::dontchange) { @@ -167,6 +213,9 @@ if (defined $::FORM{'qa_contact'}) { ConnectToDatabase(); +if ( Param('strictvaluechecks') ) { + CheckFormFieldDefined(\%::FORM, 'knob'); +} SWITCH: for ($::FORM{'knob'}) { /^none$/ && do { last SWITCH; @@ -187,6 +236,14 @@ SWITCH: for ($::FORM{'knob'}) { /^reassign$/ && do { ChangeStatus('NEW'); DoComma(); + if ( Param("strictvaluechecks") ) { + if ( !defined$::FORM{'assigned_to'} || + trim($::FORM{'assigned_to'}) eq "") { + print "You cannot reassign to a bug to noone. Unless you intentionally cleared out the \"Reassign bug to\" field, "; + print Param("browserbugmessage"); + exit 0; + } + } my $newid = DBNameToIdAndCheck($::FORM{'assigned_to'}); $::query .= "assigned_to = $newid"; last SWITCH; @@ -222,18 +279,24 @@ SWITCH: for ($::FORM{'knob'}) { /^duplicate$/ && do { ChangeStatus('RESOLVED'); ChangeResolution('DUPLICATE'); + if ( Param('strictvaluechecks') ) { + CheckFormFieldDefined(\%::FORM,'dup_id'); + } my $num = trim($::FORM{'dup_id'}); if ($num !~ /^[0-9]*$/) { print "You must specify a bug number of which this bug is a\n"; print "duplicate. The bug has not been changed.\n"; exit; } - if ($::FORM{'dup_id'} == $::FORM{'id'}) { + if (defined($::FORM{'id'}) && $::FORM{'dup_id'} == $::FORM{'id'}) { print "Nice try, $::FORM{'who'}. But it doesn't really make sense to mark a\n"; print "bug as a duplicate of itself, does it?\n"; exit; } AppendComment($::FORM{'dup_id'}, $::FORM{'who'}, "*** Bug $::FORM{'id'} has been marked as a duplicate of this bug. ***"); + if ( Param('strictvaluechecks') ) { + CheckFormFieldDefined(\%::FORM,'comment'); + } $::FORM{'comment'} .= "\n\n*** This bug has been marked as a duplicate of $::FORM{'dup_id'} ***"; print "<TABLE BORDER=1><TD><H2>Notation added to bug $::FORM{'dup_id'}</H2>\n"; @@ -301,7 +364,10 @@ sub LogDependencyActivity { return 0; } - +# this loop iterates once for each bug to be processed (eg when this script +# is called by with multiple bugs selected from buglist.cgi instead of +# show_bug.cgi). +# foreach my $id (@idlist) { my %dependencychanged; SendSQL("lock tables bugs write, bugs_activity write, cc write, profiles write, dependencies write, votes write"); @@ -317,6 +383,7 @@ The changes made were: DumpBugActivity($id, $delta_ts); my $longdesc = GetLongDescription($id); my $longchanged = 0; + if (length($longdesc) > $::FORM{'longdesclength'}) { $longchanged = 1; print "<P>Added text to the long description:<blockquote><pre>"; @@ -476,6 +543,10 @@ The changes made were: } + # get a snapshot of the newly set values out of the database, + # and then generate any necessary bug activity entries by seeing + # what has changed since before we wrote out the new values. + # my @newvalues = SnapShotBug($id); foreach my $col (@::log_columns) { my $old = shift @oldvalues; |