diff options
author | lpsolit%gmail.com <> | 2005-12-19 04:13:00 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2005-12-19 04:13:00 +0100 |
commit | a224dfe5f7c3d54d9d0ad8e521f799414b7386b8 (patch) | |
tree | 5afaac93feffd6972487e7b607e4d6c361fb32d7 | |
parent | d80d8848eb000cbbaf771feff60631ffb2688c5a (diff) | |
download | bugzilla-a224dfe5f7c3d54d9d0ad8e521f799414b7386b8.tar.gz bugzilla-a224dfe5f7c3d54d9d0ad8e521f799414b7386b8.tar.xz |
Bug 319082: "new Bugzilla::User($uid)" allows you to pass invalid $uid - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=justdave
-rw-r--r-- | Bugzilla/User.pm | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 9f6c415ef..fe46dc292 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -69,10 +69,20 @@ use constant MATCH_SKIP_CONFIRM => 1; sub new { my $invocant = shift; - if (scalar @_ == 0) { + my $user_id = shift; + + if ($user_id) { + my $uid = $user_id; + detaint_natural($user_id) + || ThrowCodeError('invalid_numeric_argument', + {argument => 'userID', + value => $uid, + function => 'Bugzilla::User::new'}); + return $invocant->_create("userid=?", $user_id); + } + else { return $invocant->_create; } - return $invocant->_create("userid=?", @_); } # This routine is sort of evil. Nothing except the login stuff should @@ -85,8 +95,10 @@ sub new { # in the id its already had to validate (or the User.pm object, of course) sub new_from_login { my $invocant = shift; + my $login = shift; + my $dbh = Bugzilla->dbh; - return $invocant->_create($dbh->sql_istrcmp('login_name', '?'), @_); + return $invocant->_create($dbh->sql_istrcmp('login_name', '?'), $login); } # Internal helper for the above |new| methods |