diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2012-03-06 22:08:55 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-03-06 22:08:55 +0100 |
| commit | 4357cedbbe2f046c3354b575df4e7b63f45252e6 (patch) | |
| tree | db19a51918c714a4ba5e18fa75f500af59b9c99b | |
| parent | ebe30fe4ed3caedadccd9ffee7dbd63d3d164572 (diff) | |
| download | bugzilla-4357cedbbe2f046c3354b575df4e7b63f45252e6.tar.gz bugzilla-4357cedbbe2f046c3354b575df4e7b63f45252e6.tar.xz | |
Bug 545610: Correctly parse CGI parameters, especially when using mod_perl
r=gerv a=LpSolit
| -rwxr-xr-x | report.cgi | 23 | ||||
| -rw-r--r-- | template/en/default/reports/report-table.html.tmpl | 13 |
2 files changed, 22 insertions, 14 deletions
diff --git a/report.cgi b/report.cgi index e562d814a..83561fde5 100755 --- a/report.cgi +++ b/report.cgi @@ -21,7 +21,6 @@ use List::MoreUtils qw(uniq); my $cgi = Bugzilla->cgi; my $template = Bugzilla->template; my $vars = {}; -my $buffer = $cgi->query_string(); # Go straight back to query.cgi if we are adding a boolean chart. if (grep(/^cmd-/, $cgi->param())) { @@ -34,9 +33,6 @@ if (grep(/^cmd-/, $cgi->param())) { } Bugzilla->login(); - -my $dbh = Bugzilla->switch_to_shadow_db(); - my $action = $cgi->param('action') || 'menu'; if ($action eq "menu") { @@ -47,6 +43,9 @@ if ($action eq "menu") { exit; } +# Sanitize the URL, to make URLs shorter. +$cgi->clean_search_url; + my $col_field = $cgi->param('x_axis_field') || ''; my $row_field = $cgi->param('y_axis_field') || ''; my $tbl_field = $cgi->param('z_axis_field') || ''; @@ -120,6 +119,7 @@ my $query = $search->sql; $::SIG{TERM} = 'DEFAULT'; $::SIG{PIPE} = 'DEFAULT'; +my $dbh = Bugzilla->switch_to_shadow_db(); my $results = $dbh->selectall_arrayref($query); # We have a hash of hashes for the data itself, and a hash to hold the @@ -228,10 +228,10 @@ if ($action eq "wrap") { # We need to keep track of the defined restrictions on each of the # axes, because buglistbase, below, throws them away. Without this, we # get buglistlinks wrong if there is a restriction on an axis field. - $vars->{'col_vals'} = join("&", $buffer =~ /[&?]($col_field=[^&]+)/g); - $vars->{'row_vals'} = join("&", $buffer =~ /[&?]($row_field=[^&]+)/g); - $vars->{'tbl_vals'} = join("&", $buffer =~ /[&?]($tbl_field=[^&]+)/g); - + $vars->{'col_vals'} = get_field_restrictions($col_field); + $vars->{'row_vals'} = get_field_restrictions($row_field); + $vars->{'tbl_vals'} = get_field_restrictions($tbl_field); + # We need a number of different variants of the base URL for different # URLs in the HTML. $vars->{'buglistbase'} = $cgi->canonicalise_query( @@ -331,3 +331,10 @@ sub check_value { } return $value; } + +sub get_field_restrictions { + my $field = shift; + my $cgi = Bugzilla->cgi; + + return join('&', map {"$field=$_"} $cgi->param($field)); +} diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index 8c4901a88..1ab48c34e 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -19,13 +19,14 @@ [% col_field_disp = field_descs.$col_field || col_field %] [% row_field_disp = field_descs.$row_field || row_field %] - + +[% urlbase = BLOCK %]buglist.cgi?[% buglistbase FILTER html %][% END %] [% IF tbl == "-total-" %] - [% urlbase = BLOCK %]buglist.cgi?[% buglistbase FILTER html %] - [% "&$tbl_vals" IF tbl_vals %][% END %] -[% ELSE %] - [% urlbase = BLOCK %]buglist.cgi?[% buglistbase FILTER html %]& - [% tbl_field FILTER uri %]=[% tbl FILTER uri %][% END %] + [% IF tbl_vals %] + [% urlbase = urlbase _ "&" _ tbl_vals %] + [% END %] +[% ELSIF tbl_field %] + [% urlbase = BLOCK %][% urlbase %]&[% tbl_field FILTER uri %]=[% tbl FILTER uri %][% END %] [% END %] <script type="text/javascript"> |