diff options
author | mkanat%bugzilla.org <> | 2009-11-09 19:27:52 +0100 |
---|---|---|
committer | mkanat%bugzilla.org <> | 2009-11-09 19:27:52 +0100 |
commit | 5dc75560608d63c6ee8e4c918cace9882f8ddf3b (patch) | |
tree | 479634a27e51eb3e1a10a04258dbceca416c91cf /Bugzilla/WebService/Util.pm | |
parent | 877c8ef605f770b00aeda25588c963ef3d5597af (diff) | |
download | bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.gz bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.xz |
Bug 513593: Make the WebService taint incoming parameters
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
Diffstat (limited to 'Bugzilla/WebService/Util.pm')
-rw-r--r-- | Bugzilla/WebService/Util.pm | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm index 74c1f2f02..8ff608c3a 100644 --- a/Bugzilla/WebService/Util.pm +++ b/Bugzilla/WebService/Util.pm @@ -21,10 +21,17 @@ package Bugzilla::WebService::Util; use strict; - use base qw(Exporter); -our @EXPORT_OK = qw(filter validate); +# We have to "require", not "use" this, because otherwise it tries to +# use features of Test::More during import(). +require Test::Taint; + +our @EXPORT_OK = qw( + filter + taint_data + validate +); sub filter ($$) { my ($params, $hash) = @_; @@ -44,6 +51,32 @@ sub filter ($$) { return \%newhash; } +sub taint_data { + my $params = shift; + return if !$params; + # Though this is a private function, it hasn't changed since 2004 and + # should be safe to use, and prevents us from having to write it ourselves + # or require another module to do it. + Test::Taint::_deeply_traverse(\&_delete_bad_keys, $params); + Test::Taint::taint_deeply($params); +} + +sub _delete_bad_keys { + foreach my $item (@_) { + next if ref $item ne 'HASH'; + foreach my $key (keys %$item) { + # Making something a hash key always untaints it, in Perl. + # However, we need to validate our argument names in some way. + # We know that all hash keys passed in to the WebService will + # match \w+, so we delete any key that doesn't match that. + if ($key !~ /^\w+$/) { + delete $item->{$key}; + } + } + } + return @_; +} + sub validate { my ($self, $params, @keys) = @_; |