Bug 783794: Bugzilla::User->visible_bugs should validate input data

r=glob a=LpSolit
author: Frédéric Buclin <LpSolit@gmail.com> 2012-09-13 01:44:01 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2012-09-13 01:44:01 +0200
commit: 4d1a1df823cd3690ff14b2579291182d6dbf7934 (patch)
tree: 39923523091b26830b8eff87a0f2aca8933d8778 /Bugzilla/User.pm
parent: 14754acd35e246b1baab0293d711e1a0aeefe6a9 (diff)
download: bugzilla-4d1a1df823cd3690ff14b2579291182d6dbf7934.tar.gz
bugzilla-4d1a1df823cd3690ff14b2579291182d6dbf7934.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 87255b20a..9fa7458e7 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -883,6 +883,14 @@ sub visible_bugs {
     if (@check_ids) {
         my $dbh = Bugzilla->dbh;
         my $user_id = $self->id;
+
+        foreach my $id (@check_ids) {
+            my $orig_id = $id;
+            detaint_natural($id)
+              || ThrowCodeError('param_must_be_numeric', { param    => $orig_id,
+                                                           function => 'Bugzilla::User->visible_bugs'});
+        }
+
         my $sth;
         # Speed up the can_see_bug case.
         if (scalar(@check_ids) == 1) {
author	Frédéric Buclin <LpSolit@gmail.com>	2012-09-13 01:44:01 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2012-09-13 01:44:01 +0200
commit	4d1a1df823cd3690ff14b2579291182d6dbf7934 (patch)
tree	39923523091b26830b8eff87a0f2aca8933d8778 /Bugzilla/User.pm
parent	14754acd35e246b1baab0293d711e1a0aeefe6a9 (diff)
download	bugzilla-4d1a1df823cd3690ff14b2579291182d6dbf7934.tar.gz bugzilla-4d1a1df823cd3690ff14b2579291182d6dbf7934.tar.xz