diff options
author | Matt Tyson <mtyson@redhat.com> | 2016-02-25 01:07:20 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2016-02-25 01:07:20 +0100 |
commit | 5c7b05750982bca4528c5acde579012f7ccf9120 (patch) | |
tree | ae361472488807b59cf9641fc7fbb151db689b8b | |
parent | 1969f955c4fc89c4d5a1e955f9bf28fef133efa3 (diff) | |
download | bugzilla-5c7b05750982bca4528c5acde579012f7ccf9120.tar.gz bugzilla-5c7b05750982bca4528c5acde579012f7ccf9120.tar.xz |
Bug 1250786 - Detainting of params.json
r=dylan,a=dylan
-rw-r--r-- | Bugzilla/Config.pm | 17 |
1 files changed, 4 insertions, 13 deletions
diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index d47577212..64f228915 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -292,32 +292,23 @@ sub write_params { } sub read_param_file { - my %params; + my $params; my $file = bz_locations()->{'datadir'} . '/params.json'; if (-e $file) { my $data; read_file($file, binmode => ':utf8', buf_ref => \$data); + trick_taint($data); # If params.json has been manually edited and e.g. some quotes are # missing, we don't want JSON::XS to leak the content of the file # to all users in its error message, so we have to eval'uate it. - %params = eval { %{JSON::XS->new->decode($data)} }; + $params = eval { JSON::XS->new->decode($data) }; if ($@) { my $error_msg = (basename($0) eq 'checksetup.pl') ? $@ : 'run checksetup.pl to see the details.'; die "Error parsing $file: $error_msg"; } - # JSON::XS doesn't detaint data for us. - foreach my $key (keys %params) { - if (ref($params{$key}) eq "ARRAY") { - foreach my $item (@{$params{$key}}) { - trick_taint($item); - } - } else { - trick_taint($params{$key}) if defined $params{$key}; - } - } } elsif ($ENV{'SERVER_SOFTWARE'}) { # We're in a CGI, but the params file doesn't exist. We can't @@ -332,7 +323,7 @@ sub read_param_file { die "The $file file does not exist." . ' You probably need to run checksetup.pl.', } - return \%params; + return $params // {}; } 1; |