diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2016-03-19 17:32:30 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2016-03-19 17:32:30 +0100 |
commit | 0cac98dfb514063de4201cd0037c465922cbef48 (patch) | |
tree | f3575344f9683a18f58b97400d43d48c0a7f95eb /Bugzilla/API/1_0/Util.pm | |
parent | 6da063a4c255b5d8be892863c2af5bb4d25673c0 (diff) | |
download | bugzilla-0cac98dfb514063de4201cd0037c465922cbef48.tar.gz bugzilla-0cac98dfb514063de4201cd0037c465922cbef48.tar.xz |
Bug 1230932: Providing a condition as an ID to the webservice results in a taint error
r=dkl
Diffstat (limited to 'Bugzilla/API/1_0/Util.pm')
-rw-r--r-- | Bugzilla/API/1_0/Util.pm | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Bugzilla/API/1_0/Util.pm b/Bugzilla/API/1_0/Util.pm index e2c7b1f1f..ce4487c1f 100644 --- a/Bugzilla/API/1_0/Util.pm +++ b/Bugzilla/API/1_0/Util.pm @@ -22,6 +22,7 @@ use MIME::Base64 qw(decode_base64 encode_base64); use Storable qw(dclone); use Test::Taint (); use URI::Escape qw(uri_unescape); +use List::MoreUtils qw(any none); use parent qw(Exporter); @@ -248,14 +249,19 @@ sub validate { # $params should be. return ($self, undef) if (defined $params and !ref $params); + my @id_params = qw(ids comment_ids); # If @keys is not empty then we convert any named # parameters that have scalar values to arrayrefs # that match. foreach my $key (@keys) { if (exists $params->{$key}) { - $params->{$key} = ref $params->{$key} - ? $params->{$key} - : [ $params->{$key} ]; + $params->{$key} = [ $params->{$key} ] unless ref $params->{$key}; + + if (any { $key eq $_ } @id_params) { + my $ids = $params->{$key}; + ThrowCodeError('param_scalar_array_required', { param => $key }) + unless ref($ids) eq 'ARRAY' && none { ref $_ } @$ids; + } } } |