diff options
author | justdave%syndicomm.com <> | 2001-11-06 05:43:35 +0100 |
---|---|---|
committer | justdave%syndicomm.com <> | 2001-11-06 05:43:35 +0100 |
commit | 1d9fe70befbe375184f3de1e48e1aa168bf6503d (patch) | |
tree | b8184cca98fc8197beed1cf0955d9c620bae2aa4 | |
parent | 2899c1deebc3aeb1b49f8d0ffd271cc5120ae4ee (diff) | |
download | bugzilla-1d9fe70befbe375184f3de1e48e1aa168bf6503d.tar.gz bugzilla-1d9fe70befbe375184f3de1e48e1aa168bf6503d.tar.xz |
SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a
bug pretending to be someone else if you edited the HTML by hand before submitting.
Patch by Dave Miller <justdave@syndicomm.com>
r= bbaetz, jake
-rwxr-xr-x | post_bug.cgi | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/post_bug.cgi b/post_bug.cgi index 4fc7e9c99..bcbef7bb3 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -103,10 +103,7 @@ if ($::FORM{'assigned_to'} eq "") { $::FORM{'assigned_to'} = DBNameToIdAndCheck($::FORM{'assigned_to'}); } -$::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'}); - - -my @bug_fields = ("reporter", "product", "version", "rep_platform", +my @bug_fields = ("product", "version", "rep_platform", "bug_severity", "priority", "op_sys", "assigned_to", "bug_status", "bug_file_loc", "short_desc", "component", "target_milestone"); @@ -145,7 +142,6 @@ if (!exists $::FORM{'target_milestone'}) { if ( Param("strictvaluechecks") ) { GetVersionTable(); - CheckFormField(\%::FORM, 'reporter'); CheckFormField(\%::FORM, 'product', \@::legal_product); CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}}); CheckFormField(\%::FORM, 'target_milestone', @@ -174,7 +170,7 @@ if (exists $::FORM{'bug_status'} && $::FORM{'bug_status'} ne $::unconfirmedstate } my $query = "INSERT INTO bugs (\n" . join(",\n", @used_fields) . ", -creation_ts, groupset) +reporter, creation_ts, groupset) VALUES ( "; @@ -182,17 +178,17 @@ foreach my $field (@used_fields) { # fix for 42609. if there is a http:// only in bug_file_loc, strip # it out and send an empty value. if ($field eq 'bug_file_loc') { - if ($::FORM{$field} eq 'http://') { - $::FORM{$field} = ""; - $query .= SqlQuote($::FORM{$field}) . ",\n"; - next; - } - else { - $query .= SqlQuote($::FORM{$field}) . ",\n"; - } + if ($::FORM{$field} eq 'http://') { + $::FORM{$field} = ""; + $query .= SqlQuote($::FORM{$field}) . ",\n"; + next; + } + else { + $query .= SqlQuote($::FORM{$field}) . ",\n"; + } } else { - $query .= SqlQuote($::FORM{$field}) . ",\n"; + $query .= SqlQuote($::FORM{$field}) . ",\n"; } } @@ -204,7 +200,7 @@ $comment = trim($comment); # OK except for the fact that it causes e-mail to be suppressed. $comment = $comment ? $comment : " "; -$query .= "now(), (0"; +$query .= "$::userid, now(), (0"; foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) { if ($::FORM{$b}) { @@ -251,7 +247,7 @@ SendSQL("select LAST_INSERT_ID()"); my $id = FetchOneColumn(); SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext) VALUES " . - "($id, $::FORM{'reporter'}, now(), " . SqlQuote($comment) . ")"); + "($id, $::userid, now(), " . SqlQuote($comment) . ")"); foreach my $person (keys %ccids) { SendSQL("insert into cc (bug_id, who) values ($id, $person)"); |