summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2002-01-20 10:44:34 +0100
committerjustdave%syndicomm.com <>2002-01-20 10:44:34 +0100
commit4e6767d4c3d1b0b583f4ec076992345545294748 (patch)
tree44d10a299f4d910400fb420b38e21e769c00be7e
parent72f340e3a12668c9356102c71f864afa986e001a (diff)
downloadbugzilla-4e6767d4c3d1b0b583f4ec076992345545294748.tar.gz
bugzilla-4e6767d4c3d1b0b583f4ec076992345545294748.tar.xz
Fix for bug 108982: enable taint mode for all user-facing CGI files.
Patch by Brad Baetz <bbaetz@student.usyd.edu.au> r= jake, justdave
-rw-r--r--Attachment.pm1
-rwxr-xr-xBug.pm11
-rw-r--r--Bugzilla/Attachment.pm1
-rwxr-xr-xBugzilla/Bug.pm11
-rw-r--r--Bugzilla/Token.pm1
-rw-r--r--CGI.pl19
-rw-r--r--Token.pm1
-rwxr-xr-xattachment.cgi8
-rwxr-xr-xbuglist.cgi20
-rw-r--r--bugzilla.dtd2
-rwxr-xr-xchangepassword.cgi2
-rwxr-xr-xcolchange.cgi4
-rwxr-xr-xcreateaccount.cgi4
-rwxr-xr-xcreateattachment.cgi4
-rwxr-xr-xdescribecomponents.cgi4
-rwxr-xr-xdescribekeywords.cgi4
-rwxr-xr-xdoeditparams.cgi4
-rwxr-xr-xdoeditvotes.cgi9
-rwxr-xr-xduplicates.cgi5
-rwxr-xr-xenter_bug.cgi4
-rw-r--r--globals.pl19
-rwxr-xr-xlong_list.cgi4
-rwxr-xr-xmove.pl5
-rwxr-xr-xnew_comment.cgi2
-rwxr-xr-xpost_bug.cgi4
-rwxr-xr-xprocess_bug.cgi32
-rwxr-xr-xqueryhelp.cgi4
-rwxr-xr-xquips.cgi4
-rwxr-xr-xrelogin.cgi4
-rwxr-xr-xreports.cgi4
-rwxr-xr-xsanitycheck.cgi4
-rwxr-xr-xshow_activity.cgi4
-rwxr-xr-xshow_bug.cgi4
-rwxr-xr-xshowattachment.cgi6
-rwxr-xr-xshowdependencygraph.cgi8
-rwxr-xr-xshowvotes.cgi6
-rw-r--r--t/002goodperl.t33
-rwxr-xr-xtoken.cgi4
-rwxr-xr-xuserprefs.cgi4
-rwxr-xr-xxml.cgi7
40 files changed, 208 insertions, 73 deletions
diff --git a/Attachment.pm b/Attachment.pm
index 1ba194d77..acfa52f63 100644
--- a/Attachment.pm
+++ b/Attachment.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/Bug.pm b/Bug.pm
index 670b274eb..96ff0b8af 100755
--- a/Bug.pm
+++ b/Bug.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -75,10 +74,12 @@ sub initBug {
my $self = shift();
my ($bug_id, $user_id) = (@_);
-
- if ( (! defined $bug_id) || (!$bug_id) ) {
- # no bug number given
- return {};
+ my $old_bug_id = $bug_id;
+ if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) {
+ # no bug number given
+ $self->{'bug_id'} = $old_bug_id;
+ $self->{'error'} = "InvalidBugId";
+ return $self;
}
# default userid 0, or get DBID if you used an email address
diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index 1ba194d77..acfa52f63 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 670b274eb..96ff0b8af 100755
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -75,10 +74,12 @@ sub initBug {
my $self = shift();
my ($bug_id, $user_id) = (@_);
-
- if ( (! defined $bug_id) || (!$bug_id) ) {
- # no bug number given
- return {};
+ my $old_bug_id = $bug_id;
+ if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) {
+ # no bug number given
+ $self->{'bug_id'} = $old_bug_id;
+ $self->{'error'} = "InvalidBugId";
+ return $self;
}
# default userid 0, or get DBID if you used an email address
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 185884c98..f2c5fbde7 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/CGI.pl b/CGI.pl
index e245c1db4..16ec7f2d8 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -93,6 +93,9 @@ sub url_quote {
sub ParseUrlString {
+ # We don't want to detaint the user supplied data...
+ use re 'taint';
+
my ($buffer, $f, $m) = (@_);
undef %$f;
undef %$m;
@@ -118,6 +121,7 @@ sub ParseUrlString {
$name = $item;
$value = "";
}
+
if ($value ne "") {
if (defined $f->{$name}) {
$f->{$name} .= $value;
@@ -141,7 +145,6 @@ sub ParseUrlString {
}
}
-
sub ProcessFormFields {
my ($buffer) = (@_);
return ParseUrlString($buffer, \%::FORM, \%::MFORM);
@@ -259,18 +262,18 @@ sub ValidateBugID {
# Validates and verifies a bug ID, making sure the number is a
# positive integer, that it represents an existing bug in the
# database, and that the user is authorized to access that bug.
+ # We detaint the number here, too
- my ($id) = @_;
-
- # Make sure the bug number is a positive integer.
- # Whitespace can be ignored because the SQL server will ignore it.
- $id =~ /^\s*([1-9][0-9]*)\s*$/
+ $_[0] = trim($_[0]); # Allow whitespace arround the number
+ detaint_natural($_[0])
|| DisplayError("The bug number is invalid. If you are trying to use " .
"QuickSearch, you need to enable JavaScript in your " .
"browser. To help us fix this limitation, look " .
"<a href=\"http://bugzilla.mozilla.org/show_bug.cgi?id=70907\">here</a>.")
&& exit;
+ my ($id) = @_;
+
# Get the values of the usergroupset and userid global variables
# and write them to local variables for use within this function,
# setting those local variables to the default value of zero if
@@ -685,6 +688,8 @@ sub quietly_check_login() {
$::COOKIE{"Bugzilla_login"} = $loginname; # Makes sure case
# is in
# canonical form.
+ # We've just verified that this is ok
+ detaint_natural($::COOKIE{"Bugzilla_logincookie"});
} else {
$::disabledreason = $disabledtext;
}
@@ -1430,6 +1435,8 @@ if (defined $ENV{"REQUEST_METHOD"}) {
if (defined $ENV{"HTTP_COOKIE"}) {
+ # Don't trust anything which came in as a cookie
+ use re 'taint';
foreach my $pair (split(/;/, $ENV{"HTTP_COOKIE"})) {
$pair = trim($pair);
if ($pair =~ /^([^=]*)=(.*)$/) {
diff --git a/Token.pm b/Token.pm
index 185884c98..f2c5fbde7 100644
--- a/Token.pm
+++ b/Token.pm
@@ -1,4 +1,3 @@
-#!/usr/bonsaitools/bin/perl -w
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/attachment.cgi b/attachment.cgi
index e5c3f52fe..5996aa86d 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -29,6 +29,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
# Include the Bugzilla CGI and general utility library.
require "CGI.pl";
@@ -139,10 +141,10 @@ exit;
sub validateID
{
- # Validate the value of the "id" form field, which must contain a positive
+ # Validate the value of the "id" form field, which must contain an
# integer that is the ID of an existing attachment.
- $::FORM{'id'} =~ /^[1-9][0-9]*$/
+ detaint_natural($::FORM{'id'})
|| DisplayError("You did not enter a valid attachment number.")
&& exit;
diff --git a/buglist.cgi b/buglist.cgi
index d74563f25..ce67f648e 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -26,6 +26,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
use Date::Parse;
@@ -783,6 +785,11 @@ sub GenerateSQL {
die "Internal error: $errstr" if $chart < 0;
return Error($errstr);
}
+
+ # This is either from the internal chart (in which case we
+ # already know about it), or it was in %chartfields, so it is
+ # a valid field name, which means that its ok.
+ trick_taint($f);
$q = SqlQuote($v);
my $func;
$term = undef;
@@ -1067,7 +1074,15 @@ my @fields = ("bugs.bug_id", "bugs.groupset");
foreach my $c (@collist) {
if (exists $::needquote{$c}) {
- push(@fields, "$::key{$c}");
+ # The value we are actually using is $::key{$c}, which was created
+ # using the DefCol() function earlier. We test for the existance
+ # of $::needsquote{$c} to find out if $c is a legitimate key in the
+ # hashes that were defined by DefCol(). If $::needsquote{$c} exists,
+ # then $c is valid and we can use it to look up our key.
+ # If it doesn't exist, then we know the user is screwing with us
+ # and we'll just skip it.
+ trick_taint($c);
+ push(@fields, $::key{$c});
}
}
@@ -1142,6 +1157,7 @@ if (defined $::FORM{'order'} && $::FORM{'order'} ne "") {
}
die "Invalid order: $::FORM{'order'}" unless
$::FORM{'order'} =~ /^([a-zA-Z0-9_., ]+)$/;
+ $::FORM{'order'} = $1; # detaint this, since we've checked it
# Extra special disgusting hack: if we are ordering by target_milestone,
# change it to order by the sortkey of the target_milestone first.
diff --git a/bugzilla.dtd b/bugzilla.dtd
index a443a953a..21fbb1dab 100644
--- a/bugzilla.dtd
+++ b/bugzilla.dtd
@@ -8,7 +8,7 @@ priority, version, rep_platform, assigned_to, delta_ts, component,
reporter, target_milestone?, bug_severity, creation_ts, qa_contact?,
status_whiteboard?, op_sys, short_desc?, keywords*, dependson*,
blocks*, cc*, long_desc?, attachment*)>
-<!ATTLIST bug error (NotFound|NotPermitted) #IMPLIED>
+<!ATTLIST bug error (NotFound|NotPermitted|InvalidBugId) #IMPLIED>
<!ELEMENT bug_id (#PCDATA)>
<!ELEMENT short_desc (#PCDATA)>
<!ELEMENT bug_status (#PCDATA)>
diff --git a/changepassword.cgi b/changepassword.cgi
index 73ae90350..dafe5c1ae 100755
--- a/changepassword.cgi
+++ b/changepassword.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/colchange.cgi b/colchange.cgi
index f96559885..89150b5d4 100755
--- a/colchange.cgi
+++ b/colchange.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
sub sillyness { # shut up "used only once" warnings
my $zz = @::legal_keywords;
}
diff --git a/createaccount.cgi b/createaccount.cgi
index 4e5f6d49d..839b81fb3 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -26,6 +26,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
# Shut up misguided -w warnings about "used only once":
diff --git a/createattachment.cgi b/createattachment.cgi
index d665e4498..ed8308cac 100755
--- a/createattachment.cgi
+++ b/createattachment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
use vars %::COOKIE, %::FILENAME;
diff --git a/describecomponents.cgi b/describecomponents.cgi
index bf6f94a34..9a2b99cc2 100755
--- a/describecomponents.cgi
+++ b/describecomponents.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@ use vars %::FORM;
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
diff --git a/describekeywords.cgi b/describekeywords.cgi
index 6e23ca63d..3475fb6eb 100755
--- a/describekeywords.cgi
+++ b/describekeywords.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
diff --git a/doeditparams.cgi b/doeditparams.cgi
index a67175e91..7390333c0 100755
--- a/doeditparams.cgi
+++ b/doeditparams.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
require "defparams.pl";
diff --git a/doeditvotes.cgi b/doeditvotes.cgi
index 94c36b8f4..4d88e13c9 100755
--- a/doeditvotes.cgi
+++ b/doeditvotes.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
@@ -67,9 +69,6 @@ if (0 == @buglist) {
# minus sign).
foreach my $id (@buglist) {
ValidateBugID($id);
- ($::FORM{$id} =~ /^\d+$/)
- || DisplayError("Only use non-negative numbers for your bug votes.")
- && exit;
}
######################################################################
@@ -144,7 +143,7 @@ while (MoreSQLData()) {
}
SendSQL("delete from votes where who = $who");
foreach my $id (@buglist) {
- if ($::FORM{$id} > 0) {
+ if (detaint_natural($::FORM{$id}) && $::FORM{$id} > 0) {
SendSQL("insert into votes (who, bug_id, count) values ($who, $id, $::FORM{$id})");
}
$affected{$id} = 1;
diff --git a/duplicates.cgi b/duplicates.cgi
index cd2d14c2a..78f29829f 100755
--- a/duplicates.cgi
+++ b/duplicates.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -27,6 +27,9 @@ use diagnostics;
use strict;
use CGI "param";
use AnyDBM_File;
+
+use lib qw(.);
+
require "globals.pl";
require "CGI.pl";
diff --git a/enter_bug.cgi b/enter_bug.cgi
index bd55b7363..f522f89c9 100755
--- a/enter_bug.cgi
+++ b/enter_bug.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -35,6 +35,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
# Shut up misguided -w warnings about "used only once". "use vars" just
diff --git a/globals.pl b/globals.pl
index 87db566c1..36e1f86f1 100644
--- a/globals.pl
+++ b/globals.pl
@@ -194,8 +194,27 @@ sub SqlLog {
}
}
+# This is from the perlsec page, slightly modifed to remove a warning
+# From that page:
+# This function makes use of the fact that the presence of
+# tainted data anywhere within an expression renders the
+# entire expression tainted.
+# Don't ask me how it works...
+sub is_tainted {
+ return not eval { my $foo = join('',@_), kill 0; 1; };
+}
+
sub SendSQL {
my ($str, $dontshadow) = (@_);
+
+ # Don't use DBI's taint stuff yet, because:
+ # a) We don't want out vars to be tainted (yet)
+ # b) We want to know who called SendSQL...
+ # Is there a better way to do b?
+ if (is_tainted($str)) {
+ die "Attempted to send tainted string to the database";
+ }
+
my $iswrite = ($str =~ /^(INSERT|REPLACE|UPDATE|DELETE)/i);
if ($iswrite && !$::dbwritesallowed) {
die "Evil code attempted to write stuff to the shadow database.";
diff --git a/long_list.cgi b/long_list.cgi
index f6182d439..552457b06 100755
--- a/long_list.cgi
+++ b/long_list.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
# Shut up misguided -w warnings about "used only once". "use vars" just
diff --git a/move.pl b/move.pl
index 37b8cb7ef..9647aee43 100755
--- a/move.pl
+++ b/move.pl
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,9 @@
use diagnostics;
use strict;
+
+use lib qw(.);
+
use Bug;
require "CGI.pl";
$::lockcount = 0;
diff --git a/new_comment.cgi b/new_comment.cgi
index 7f428ef80..bed11b472 100755
--- a/new_comment.cgi
+++ b/new_comment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
diff --git a/post_bug.cgi b/post_bug.cgi
index b2b843977..361cba848 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
# Shut up misguided -w warnings about "used only once". For some reason,
diff --git a/process_bug.cgi b/process_bug.cgi
index ac2e239ef..13942ca5f 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -29,6 +29,8 @@ use strict;
my $UserInEditGroupSet = -1;
my $UserInCanConfirmGroupSet = -1;
+use lib qw(.);
+
require "CGI.pl";
use RelationSet;
@@ -42,6 +44,7 @@ use vars %::versions,
%::legal_opsys,
%::legal_platform,
%::legal_priority,
+ %::settable_resolution,
%::target_milestone,
%::legal_severity,
%::superusergroupset;
@@ -58,13 +61,18 @@ my $requiremilestone = 0;
# This list will either consist of a single bug number from the "id"
# form/URL field or a series of numbers from multiple form/URL fields
# named "id_x" where "x" is the bug number.
+# For each bug being modified, make sure its ID is a valid bug number
+# representing an existing bug that the user is authorized to access.
my @idlist;
if (defined $::FORM{'id'}) {
+ ValidateBugID($::FORM{'id'});
push @idlist, $::FORM{'id'};
} else {
foreach my $i (keys %::FORM) {
if ($i =~ /^id_([1-9][0-9]*)/) {
- push @idlist, $1;
+ my $id = $1;
+ ValidateBugID($id);
+ push @idlist, $id;
}
}
}
@@ -74,12 +82,6 @@ scalar(@idlist)
|| DisplayError("You did not select any bugs to modify.")
&& exit;
-# For each bug being modified, make sure its ID is a valid bug number
-# representing an existing bug that the user is authorized to access.
-foreach my $id (@idlist) {
- ValidateBugID($id);
-}
-
# If we are duping bugs, let's also make sure that we can change
# the original. This takes care of issue A on bug 96085.
if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") {
@@ -538,7 +540,7 @@ sub ChangeResolution {
my ($str) = (@_);
if ($str ne $::dontchange) {
DoComma();
- $::query .= "resolution = '$str'";
+ $::query .= "resolution = " . SqlQuote($str);
}
}
@@ -695,6 +697,8 @@ SWITCH: for ($::FORM{'knob'}) {
last SWITCH;
};
/^resolve$/ && CheckonComment( "resolve" ) && do {
+ # Check here, because its the only place we require the resolution
+ CheckFormField(\%::FORM, 'resolution', \@::settable_resolution);
ChangeStatus('RESOLVED');
ChangeResolution($::FORM{'resolution'});
last SWITCH;
@@ -1030,8 +1034,15 @@ The changes made were:
foreach my $i (split('[\s,]+', $::FORM{$target})) {
if ($i eq "") {
next;
+ }
+ my $orig = $i;
+ if (!detaint_natural($i)) {
+ PuntTryAgain("$orig is not a legal bug number");
}
+
+ # Don't use CanSeeBug, since we want to keep deps to bugs a
+ # user can't see
SendSQL("select bug_id from bugs where bug_id = " .
SqlQuote($i));
my $comp = FetchOneColumn();
@@ -1049,7 +1060,8 @@ The changes made were:
my @stack = @{$deps{$target}};
while (@stack) {
my $i = shift @stack;
- SendSQL("select $target from dependencies where $me = $i");
+ SendSQL("select $target from dependencies where $me = " .
+ SqlQuote($i));
while (MoreSQLData()) {
my $t = FetchOneColumn();
if ($t == $id) {
diff --git a/queryhelp.cgi b/queryhelp.cgi
index 9206bc144..93cbef755 100755
--- a/queryhelp.cgi
+++ b/queryhelp.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -27,6 +27,8 @@ use vars %::FORM;
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
diff --git a/quips.cgi b/quips.cgi
index 897bf32d0..d6fff6cfa 100755
--- a/quips.cgi
+++ b/quips.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@ use diagnostics;
use strict;
use vars ( %::FORM );
+use lib qw(.);
+
require "CGI.pl";
print "Content-type: text/html\n\n";
diff --git a/relogin.cgi b/relogin.cgi
index 44fae4cc1..091a96e8d 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@ use strict;
use vars %::COOKIE;
+use lib qw(.);
+
require "CGI.pl";
my $cookiepath = Param("cookiepath");
diff --git a/reports.cgi b/reports.cgi
index 861622d73..0bdc062d1 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -41,6 +41,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
eval "use GD";
my $use_gd = $@ ? 0 : 1;
eval "use Chart::Lines";
diff --git a/sanitycheck.cgi b/sanitycheck.cgi
index 1bf10f071..c85a3668e 100755
--- a/sanitycheck.cgi
+++ b/sanitycheck.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
use vars %::FORM;
diff --git a/show_activity.cgi b/show_activity.cgi
index fccc21cd4..f8c55f0a1 100755
--- a/show_activity.cgi
+++ b/show_activity.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
diff --git a/show_bug.cgi b/show_bug.cgi
index c5b569a45..28eb66763 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
diff --git a/showattachment.cgi b/showattachment.cgi
index 78143c550..70f5c6d66 100755
--- a/showattachment.cgi
+++ b/showattachment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
if (!defined $::FORM{'attach_id'}) {
@@ -43,7 +45,7 @@ ConnectToDatabase();
quietly_check_login();
-if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
+if (!detaint_natural($::FORM{attach_id})) {
DisplayError("Attachment ID should be numeric.");
exit;
}
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index a10afb896..4bb90d497 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
@@ -168,6 +170,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey]
# Cleanup any old .dot files created from previous runs.
my $since = time() - 24 * 60 * 60;
foreach my $f (glob("data/webdot/*.dot")) {
+ # Here we are deleting all old files. All entries are from the
+ # data/webdot/ directory. Since we're deleting the file (not following
+ # symlinks), this can't escape to delete anything it shouldn't
+ trick_taint($f);
if (ModTime($f) < $since) {
unlink $f;
}
diff --git a/showvotes.cgi b/showvotes.cgi
index a6928bf84..6ed4bb8e4 100755
--- a/showvotes.cgi
+++ b/showvotes.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
ConnectToDatabase();
@@ -61,7 +63,7 @@ if (defined $::FORM{'voteon'}) {
# Make sure the user ID is a positive integer representing an existing user.
if (defined $::FORM{'user'}) {
- $::FORM{'user'} =~ /^([1-9][0-9]*)$/
+ detaint_natural($::FORM{'user'})
|| DisplayError("The user number is invalid.")
&& exit;
SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}");
diff --git a/t/002goodperl.t b/t/002goodperl.t
index 9c99a799a..09a5f0324 100644
--- a/t/002goodperl.t
+++ b/t/002goodperl.t
@@ -55,13 +55,40 @@ foreach my $file (@testitems) {
}
my $file_line1 = <FILE>;
close (FILE);
+
+ $file =~ m/.*\.(.*)/;
+ my $ext = $1;
+
if ($file_line1 !~ /\/usr\/bonsaitools\/bin\/perl/) {
ok(1,"$file does not have a shebang");
} else {
- if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -w#) {
- ok(1,"$file uses -w");
+ my $flags;
+ if ($file eq "processmail") {
+ # special case processmail, which is tainted checked
+ $flags = "wT";
+ } elsif (!defined $ext || $ext eq "pl") {
+ # standalone programs (eg syncshadowdb) aren't taint checked yet
+ $flags = "w";
+ } elsif ($ext eq "pm") {
+ ok(0, "$file is a module, but has a shebang");
+ next;
+ } elsif ($ext eq "cgi") {
+ # cgi files must be taint checked, but only the user-accessible
+ # ones have been checked so far
+ if ($file =~ m/^edit/) {
+ $flags = "w";
+ } else {
+ $flags = "wT";
+ }
+ } else {
+ ok(0, "$file has shebang but unknown extension");
+ next;
+ }
+
+ if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -$flags#) {
+ ok(1,"$file uses -$flags");
} else {
- ok(0,"$file is MISSING -w --WARNING");
+ ok(0,"$file is MISSING -$flags --WARNING");
}
}
}
diff --git a/token.cgi b/token.cgi
index 2fed15ad0..81ae29629 100755
--- a/token.cgi
+++ b/token.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -28,6 +28,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
# Include the Bugzilla CGI and general utility library.
require "CGI.pl";
diff --git a/userprefs.cgi b/userprefs.cgi
index bc0f1d672..531d57c0e 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -22,6 +22,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
use RelationSet;
diff --git a/xml.cgi b/xml.cgi
index 51093890e..8b71b3837 100755
--- a/xml.cgi
+++ b/xml.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -23,10 +23,13 @@
use diagnostics;
use strict;
+
+use lib qw(.);
+
use Bug;
require "CGI.pl";
-if (!defined $::FORM{'id'} || $::FORM{'id'} !~ /^\s*\d+(,\d+)*\s*$/) {
+if (!defined $::FORM{'id'} || !$::FORM{'id'}) {
print "Content-type: text/html\n\n";
PutHeader("Display as XML");
print "<FORM METHOD=GET ACTION=\"xml.cgi\">\n";