diff options
| author | lpsolit%gmail.com <> | 2006-03-09 06:35:54 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2006-03-09 06:35:54 +0100 |
| commit | 5ce63a09c5771f16e33830981534bc392f4b67f7 (patch) | |
| tree | a3ad3bad1492f87ef279014ab6a25feae2bf0afe | |
| parent | 83d3f2a4d652fc80b04e24b7b602f1b022a8df6e (diff) | |
| download | bugzilla-5ce63a09c5771f16e33830981534bc392f4b67f7.tar.gz bugzilla-5ce63a09c5771f16e33830981534bc392f4b67f7.tar.xz | |
Bug 329783: SQL crash in request.cgi when the status field is used - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wurblzap a=justdave
| -rwxr-xr-x | request.cgi | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/request.cgi b/request.cgi index c60e9cc1f..1faeb1793 100755 --- a/request.cgi +++ b/request.cgi @@ -69,10 +69,10 @@ exit; sub queue { my $cgi = Bugzilla->cgi; my $dbh = Bugzilla->dbh; - - validateStatus($cgi->param('status')); - validateGroup($cgi->param('group')); - + + my $status = validateStatus($cgi->param('status')); + my $form_group = validateGroup($cgi->param('group')); + my $attach_join_clause = "flags.attach_id = attachments.attach_id"; if (Param("insidergroup") && !UserInGroup(Param("insidergroup"))) { $attach_join_clause .= " AND attachments.isprivate < 1"; @@ -132,7 +132,7 @@ sub queue { $query .= " AND flags.is_active = 1 "; # Limit query to pending requests. - $query .= " AND flags.status = '?' " unless $cgi->param('status'); + $query .= " AND flags.status = '?' " unless $status; # The set of criteria by which we filter records to display in the queue. my @criteria = (); @@ -146,13 +146,13 @@ sub queue { # Filter requests by status: "pending", "granted", "denied", "all" # (which means any), or "fulfilled" (which means "granted" or "denied"). - if ($cgi->param('status')) { - if ($cgi->param('status') eq "+-") { + if ($status) { + if ($status eq "+-") { push(@criteria, "flags.status IN ('+', '-')"); push(@excluded_columns, 'status') unless $cgi->param('do_union'); } - elsif ($cgi->param('status') ne "all") { - push(@criteria, "flags.status = '" . $cgi->param('status') . "'"); + elsif ($status ne "all") { + push(@criteria, "flags.status = '$status'"); push(@excluded_columns, 'status') unless $cgi->param('do_union'); } } @@ -237,7 +237,6 @@ sub queue { # so the loop in the display template can break them up into separate # tables every time the value in the group column changes. - my $form_group = $cgi->param('group'); $form_group ||= "requestee"; if ($form_group eq "requester") { $query .= " ORDER BY requesters.realname, requesters.login_name"; @@ -304,20 +303,24 @@ sub queue { ################################################################################ sub validateStatus { - my $status = $_[0]; + my $status = shift; return if !defined $status; - + grep($status eq $_, qw(? +- + - all)) || ThrowCodeError("flag_status_invalid", { status => $status }); + trick_taint($status); + return $status; } sub validateGroup { - my $group = $_[0]; + my $group = shift; return if !defined $group; - + grep($group eq $_, qw(requester requestee category type)) || ThrowCodeError("request_queue_group_invalid", { group => $group }); + trick_taint($group); + return $group; } |