Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug <num>' or 'attachment <num>' where <num> is greater than the max allowed integer

r=mkanat a=LpSolit

1 files changed, 6 insertions, 12 deletions

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 4abc8a6ee..923336d45 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -268,21 +268,15 @@ sub get_attachment_link {
     my ($attachid, $link_text) = @_;
     my $dbh = Bugzilla->dbh;
 
-    detaint_natural($attachid)
-      || die "get_attachment_link() called with non-integer attachment number";
+    my $attachment = new Bugzilla::Attachment($attachid);
 
-    my ($bugid, $isobsolete, $desc, $is_patch) =
-        $dbh->selectrow_array('SELECT bug_id, isobsolete, description, ispatch
-                               FROM attachments WHERE attach_id = ?',
-                               undef, $attachid);
-
-    if ($bugid) {
+    if ($attachment) {
         my $title = "";
         my $className = "";
-        if (Bugzilla->user->can_see_bug($bugid)) {
-            $title = $desc;
+        if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+            $title = $attachment->description;
         }
-        if ($isobsolete) {
+        if ($attachment->isobsolete) {
             $className = "bz_obsolete";
         }
         # Prevent code injection in the title.
@@ -294,7 +288,7 @@ sub get_attachment_link {
         # If the attachment is a patch, try to link to the diff rather
         # than the text, by default.
         my $patchlink = "";
-        if ($is_patch and Bugzilla->feature('patch_viewer')) {
+        if ($attachment->ispatch and Bugzilla->feature('patch_viewer')) {
             $patchlink = '&action=diff';
         }