Bug 513593: Make the WebService taint incoming parameters

Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
author: mkanat%bugzilla.org <> 2009-11-09 19:27:52 +0100
committer: mkanat%bugzilla.org <> 2009-11-09 19:27:52 +0100
commit: 5dc75560608d63c6ee8e4c918cace9882f8ddf3b (patch)
tree: 479634a27e51eb3e1a10a04258dbceca416c91cf /Bugzilla/WebService/Server/JSONRPC.pm
parent: 877c8ef605f770b00aeda25588c963ef3d5597af (diff)
download: bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.gz
bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index b453c6196..e54387a6d 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -26,6 +26,7 @@ use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server);
 
 use Bugzilla::Error;
 use Bugzilla::WebService::Constants;
+use Bugzilla::WebService::Util qw(taint_data);
 use Date::Parse;
 use DateTime;
 
@@ -123,6 +124,8 @@ sub _argument_type_check {
         $params = $params->[0];
     }
 
+    taint_data($params);
+
     # Now, convert dateTime fields on input.
     $self->_bz_method_name =~ /^(\S+)\.(\S+)$/;
     my ($class, $method) = ($1, $2);
author	mkanat%bugzilla.org <>	2009-11-09 19:27:52 +0100
committer	mkanat%bugzilla.org <>	2009-11-09 19:27:52 +0100
commit	5dc75560608d63c6ee8e4c918cace9882f8ddf3b (patch)
tree	479634a27e51eb3e1a10a04258dbceca416c91cf /Bugzilla/WebService/Server/JSONRPC.pm
parent	877c8ef605f770b00aeda25588c963ef3d5597af (diff)
download	bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.gz bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.xz