Bug 721715: URLs in the See Also field must be detainted before inserted into the DB

r=dkl a=LpSolit
author: Frédéric Buclin <LpSolit@gmail.com> 2012-01-27 22:28:45 +0100
committer: Frédéric Buclin <LpSolit@gmail.com> 2012-01-27 22:28:45 +0100
commit: ba6261338264e750809ae1b3f228440e8bccf6db (patch)
tree: 585d18f05b324a63d0b7ae911cf3c8849d5d27c2 /Bugzilla/Bug.pm
parent: 65179ca18399bc3a6139b6412bc52474d57b073e (diff)
download: bugzilla-ba6261338264e750809ae1b3f228440e8bccf6db.tar.gz
bugzilla-ba6261338264e750809ae1b3f228440e8bccf6db.tar.xz
1 files changed, 3 insertions, 4 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index ddfe57028..a848c866b 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2853,14 +2853,13 @@ sub add_see_also {
     $class->check_required_create_fields($params);
 
     my $field_values = $class->run_create_validators($params);
-    $uri = $field_values->{value};
-    $field_values->{value} = $uri->as_string;
+    my $value = $field_values->{value}->as_string;
+    trick_taint($value);
+    $field_values->{value} = $value;
 
     # We only add the new URI if it hasn't been added yet. URIs are
     # case-sensitive, but most of our DBs are case-insensitive, so we do
     # this check case-insensitively.
-    my $value = $uri->as_string;
-
     if (!grep { lc($_->name) eq lc($value) } @{ $self->see_also }) {
         my $privs;
         my $can = $self->check_can_change_field('see_also', '', $value, \$privs);
author	Frédéric Buclin <LpSolit@gmail.com>	2012-01-27 22:28:45 +0100
committer	Frédéric Buclin <LpSolit@gmail.com>	2012-01-27 22:28:45 +0100
commit	ba6261338264e750809ae1b3f228440e8bccf6db (patch)
tree	585d18f05b324a63d0b7ae911cf3c8849d5d27c2 /Bugzilla/Bug.pm
parent	65179ca18399bc3a6139b6412bc52474d57b073e (diff)
download	bugzilla-ba6261338264e750809ae1b3f228440e8bccf6db.tar.gz bugzilla-ba6261338264e750809ae1b3f228440e8bccf6db.tar.xz