diff options
author | bbaetz%student.usyd.edu.au <> | 2002-08-13 15:54:35 +0200 |
---|---|---|
committer | bbaetz%student.usyd.edu.au <> | 2002-08-13 15:54:35 +0200 |
commit | 9b22dcde525cb7e0b0b88b80d627e7e1d3dd5e6c (patch) | |
tree | 5ad90a3800a05fbfc2cecb0c5f5f4dba396d852d | |
parent | ebdbe669e45bfbfecb7330475a878583e09763ca (diff) | |
download | bugzilla-9b22dcde525cb7e0b0b88b80d627e7e1d3dd5e6c.tar.gz bugzilla-9b22dcde525cb7e0b0b88b80d627e7e1d3dd5e6c.tar.xz |
Bug 160710 - Taint checking causes problem with rename function
r=joel, preed
-rw-r--r-- | template/en/default/account/prefs/prefs.html.tmpl | 11 | ||||
-rwxr-xr-x | userprefs.cgi | 5 |
2 files changed, 15 insertions, 1 deletions
diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl index d455b5b66..327218e17 100644 --- a/template/en/default/account/prefs/prefs.html.tmpl +++ b/template/en/default/account/prefs/prefs.html.tmpl @@ -100,7 +100,16 @@ <form method="post" action="userprefs.cgi"> <input type="hidden" name="tab" value="[% current_tab.name %]"> - [% PROCESS "account/prefs/${current_tab.name}.html.tmpl" IF current_tab.name.defined %] + [%# See bug 160710 for why this is done this way %] + [% IF current_tab.name == "account" %] + [% PROCESS "account/prefs/account.html.tmpl" %] + [% ELSIF current_tab.name == "email" %] + [% PROCESS "account/prefs/email.html.tmpl" %] + [% ELSIF current_tab.name == "footer" %] + [% PROCESS "account/prefs/footer.html.tmpl" %] + [% ELSIF current_tab.name == "permissions" %] + [% PROCESS "account/prefs/permissions.html.tmpl" %] + [% END %] [% IF current_tab.saveable %] <input type="hidden" name="dosave" value="1"> diff --git a/userprefs.cgi b/userprefs.cgi index 84c8ea027..cf58cf265 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -370,6 +370,9 @@ $vars->{'changes_saved'} = $::FORM{'dosave'}; my $current_tab_name = $::FORM{'tab'} || "account"; +# The SWITCH below makes sure that this is valid +trick_taint($current_tab_name); + $vars->{'current_tab_name'} = $current_tab_name; # Do any saving, and then display the current tab. @@ -393,6 +396,8 @@ SWITCH: for ($current_tab_name) { DoPermissions(); last SWITCH; }; + ThrowUserError("Unknown tab <code>" . html_quote($current_tab_name) + . "</code>"); } # Generate and return the UI (HTML page) from the appropriate template. |