diff options
| author | lpsolit%gmail.com <> | 2006-07-19 06:54:38 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2006-07-19 06:54:38 +0200 |
| commit | fbf78711a9aca674dd1a2fa374e6501d1212531b (patch) | |
| tree | 65e26a09f9b094b18af548ce0cc8686218e3aa09 | |
| parent | 78094dfe411b41a33d930c7f0c623cc2eb216c28 (diff) | |
| download | bugzilla-fbf78711a9aca674dd1a2fa374e6501d1212531b.tar.gz bugzilla-fbf78711a9aca674dd1a2fa374e6501d1212531b.tar.xz | |
Bug 345032: Tainted value in request.cgi when restricting the search to a given flag - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=myk
| -rw-r--r-- | Bugzilla/FlagType.pm | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index b5bbbc87b..6b3b7d15c 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -461,14 +461,16 @@ sub sqlify_criteria { my @criteria = ("1=1"); if ($criteria->{name}) { - push(@criteria, "flagtypes.name = " . $dbh->quote($criteria->{name})); + my $name = $dbh->quote($criteria->{name}); + trick_taint($name); # Detaint data as we have quoted it. + push(@criteria, "flagtypes.name = $name"); } if ($criteria->{target_type}) { # The target type is stored in the database as a one-character string # ("a" for attachment and "b" for bug), but this function takes complete # names ("attachment" and "bug") for clarity, so we must convert them. - my $target_type = $dbh->quote(substr($criteria->{target_type}, 0, 1)); - push(@criteria, "flagtypes.target_type = $target_type"); + my $target_type = $criteria->{target_type} eq 'bug'? 'b' : 'a'; + push(@criteria, "flagtypes.target_type = '$target_type'"); } if (exists($criteria->{is_active})) { my $is_active = $criteria->{is_active} ? "1" : "0"; |