summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Tyson <mtyson@redhat.com>2016-02-25 01:07:20 +0100
committerDylan Hardison <dylan@mozilla.com>2016-02-25 01:07:20 +0100
commit5c7b05750982bca4528c5acde579012f7ccf9120 (patch)
treeae361472488807b59cf9641fc7fbb151db689b8b
parent1969f955c4fc89c4d5a1e955f9bf28fef133efa3 (diff)
downloadbugzilla-5c7b05750982bca4528c5acde579012f7ccf9120.tar.gz
bugzilla-5c7b05750982bca4528c5acde579012f7ccf9120.tar.xz
Bug 1250786 - Detainting of params.json
r=dylan,a=dylan
-rw-r--r--Bugzilla/Config.pm17
1 files changed, 4 insertions, 13 deletions
diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm
index d47577212..64f228915 100644
--- a/Bugzilla/Config.pm
+++ b/Bugzilla/Config.pm
@@ -292,32 +292,23 @@ sub write_params {
}
sub read_param_file {
- my %params;
+ my $params;
my $file = bz_locations()->{'datadir'} . '/params.json';
if (-e $file) {
my $data;
read_file($file, binmode => ':utf8', buf_ref => \$data);
+ trick_taint($data);
# If params.json has been manually edited and e.g. some quotes are
# missing, we don't want JSON::XS to leak the content of the file
# to all users in its error message, so we have to eval'uate it.
- %params = eval { %{JSON::XS->new->decode($data)} };
+ $params = eval { JSON::XS->new->decode($data) };
if ($@) {
my $error_msg = (basename($0) eq 'checksetup.pl') ?
$@ : 'run checksetup.pl to see the details.';
die "Error parsing $file: $error_msg";
}
- # JSON::XS doesn't detaint data for us.
- foreach my $key (keys %params) {
- if (ref($params{$key}) eq "ARRAY") {
- foreach my $item (@{$params{$key}}) {
- trick_taint($item);
- }
- } else {
- trick_taint($params{$key}) if defined $params{$key};
- }
- }
}
elsif ($ENV{'SERVER_SOFTWARE'}) {
# We're in a CGI, but the params file doesn't exist. We can't
@@ -332,7 +323,7 @@ sub read_param_file {
die "The $file file does not exist."
. ' You probably need to run checksetup.pl.',
}
- return \%params;
+ return $params // {};
}
1;