summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2001-11-06 05:43:35 +0100
committerjustdave%syndicomm.com <>2001-11-06 05:43:35 +0100
commit1d9fe70befbe375184f3de1e48e1aa168bf6503d (patch)
treeb8184cca98fc8197beed1cf0955d9c620bae2aa4
parent2899c1deebc3aeb1b49f8d0ffd271cc5120ae4ee (diff)
downloadbugzilla-1d9fe70befbe375184f3de1e48e1aa168bf6503d.tar.gz
bugzilla-1d9fe70befbe375184f3de1e48e1aa168bf6503d.tar.xz
SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a
bug pretending to be someone else if you edited the HTML by hand before submitting. Patch by Dave Miller <justdave@syndicomm.com> r= bbaetz, jake
-rwxr-xr-xpost_bug.cgi30
1 files changed, 13 insertions, 17 deletions
diff --git a/post_bug.cgi b/post_bug.cgi
index 4fc7e9c99..bcbef7bb3 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -103,10 +103,7 @@ if ($::FORM{'assigned_to'} eq "") {
$::FORM{'assigned_to'} = DBNameToIdAndCheck($::FORM{'assigned_to'});
}
-$::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'});
-
-
-my @bug_fields = ("reporter", "product", "version", "rep_platform",
+my @bug_fields = ("product", "version", "rep_platform",
"bug_severity", "priority", "op_sys", "assigned_to",
"bug_status", "bug_file_loc", "short_desc", "component",
"target_milestone");
@@ -145,7 +142,6 @@ if (!exists $::FORM{'target_milestone'}) {
if ( Param("strictvaluechecks") ) {
GetVersionTable();
- CheckFormField(\%::FORM, 'reporter');
CheckFormField(\%::FORM, 'product', \@::legal_product);
CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}});
CheckFormField(\%::FORM, 'target_milestone',
@@ -174,7 +170,7 @@ if (exists $::FORM{'bug_status'} && $::FORM{'bug_status'} ne $::unconfirmedstate
}
my $query = "INSERT INTO bugs (\n" . join(",\n", @used_fields) . ",
-creation_ts, groupset)
+reporter, creation_ts, groupset)
VALUES (
";
@@ -182,17 +178,17 @@ foreach my $field (@used_fields) {
# fix for 42609. if there is a http:// only in bug_file_loc, strip
# it out and send an empty value.
if ($field eq 'bug_file_loc') {
- if ($::FORM{$field} eq 'http://') {
- $::FORM{$field} = "";
- $query .= SqlQuote($::FORM{$field}) . ",\n";
- next;
- }
- else {
- $query .= SqlQuote($::FORM{$field}) . ",\n";
- }
+ if ($::FORM{$field} eq 'http://') {
+ $::FORM{$field} = "";
+ $query .= SqlQuote($::FORM{$field}) . ",\n";
+ next;
+ }
+ else {
+ $query .= SqlQuote($::FORM{$field}) . ",\n";
+ }
}
else {
- $query .= SqlQuote($::FORM{$field}) . ",\n";
+ $query .= SqlQuote($::FORM{$field}) . ",\n";
}
}
@@ -204,7 +200,7 @@ $comment = trim($comment);
# OK except for the fact that it causes e-mail to be suppressed.
$comment = $comment ? $comment : " ";
-$query .= "now(), (0";
+$query .= "$::userid, now(), (0";
foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) {
if ($::FORM{$b}) {
@@ -251,7 +247,7 @@ SendSQL("select LAST_INSERT_ID()");
my $id = FetchOneColumn();
SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext) VALUES " .
- "($id, $::FORM{'reporter'}, now(), " . SqlQuote($comment) . ")");
+ "($id, $::userid, now(), " . SqlQuote($comment) . ")");
foreach my $person (keys %ccids) {
SendSQL("insert into cc (bug_id, who) values ($id, $person)");