summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2010-08-05 00:10:22 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2010-08-05 00:10:22 +0200
commit861fef876f3cb8a50437ee41b6ba4c8d0cb1e239 (patch)
treeb76de5a3b2541e76ee018f6a7e8afd33ecf8f979 /Bugzilla
parent2ea4b3d38e8a012f61d20e6831daaf06493c3d95 (diff)
downloadbugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.gz
bugzilla-861fef876f3cb8a50437ee41b6ba4c8d0cb1e239.tar.xz
Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug <num>' or 'attachment <num>' where <num> is greater than the max allowed integer
r=mkanat a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Constants.pm2
-rw-r--r--Bugzilla/Object.pm5
-rw-r--r--Bugzilla/Template.pm18
3 files changed, 13 insertions, 12 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 2477d546f..72f4d4512 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -170,6 +170,7 @@ use Memoize;
MIN_SMALLINT
MAX_SMALLINT
+ MAX_INT_32
MAX_LEN_QUERY_NAME
MAX_CLASSIFICATION_SIZE
@@ -513,6 +514,7 @@ use constant ROOT_USER => ON_WINDOWS ? 'Administrator' : 'root';
use constant MIN_SMALLINT => -32768;
use constant MAX_SMALLINT => 32767;
+use constant MAX_INT_32 => 2147483647;
# The longest that a saved search name can be.
use constant MAX_LEN_QUERY_NAME => 64;
diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm
index a7c92b269..66dac9422 100644
--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -87,6 +87,9 @@ sub _init {
|| ThrowCodeError('param_must_be_numeric',
{function => $class . '::_init'});
+ # Too large integers make PostgreSQL crash.
+ return if $id > MAX_INT_32;
+
$object = $dbh->selectrow_hashref(qq{
SELECT $columns FROM $table
WHERE $id_field = ?}, undef, $id);
@@ -165,6 +168,8 @@ sub new_from_list {
detaint_natural($id) ||
ThrowCodeError('param_must_be_numeric',
{function => $class . '::new_from_list'});
+ # Too large integers make PostgreSQL crash.
+ next if $id > MAX_INT_32;
push(@detainted_ids, $id);
}
# We don't do $invocant->match because some classes have
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 4abc8a6ee..923336d45 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -268,21 +268,15 @@ sub get_attachment_link {
my ($attachid, $link_text) = @_;
my $dbh = Bugzilla->dbh;
- detaint_natural($attachid)
- || die "get_attachment_link() called with non-integer attachment number";
+ my $attachment = new Bugzilla::Attachment($attachid);
- my ($bugid, $isobsolete, $desc, $is_patch) =
- $dbh->selectrow_array('SELECT bug_id, isobsolete, description, ispatch
- FROM attachments WHERE attach_id = ?',
- undef, $attachid);
-
- if ($bugid) {
+ if ($attachment) {
my $title = "";
my $className = "";
- if (Bugzilla->user->can_see_bug($bugid)) {
- $title = $desc;
+ if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+ $title = $attachment->description;
}
- if ($isobsolete) {
+ if ($attachment->isobsolete) {
$className = "bz_obsolete";
}
# Prevent code injection in the title.
@@ -294,7 +288,7 @@ sub get_attachment_link {
# If the attachment is a patch, try to link to the diff rather
# than the text, by default.
my $patchlink = "";
- if ($is_patch and Bugzilla->feature('patch_viewer')) {
+ if ($attachment->ispatch and Bugzilla->feature('patch_viewer')) {
$patchlink = '&amp;action=diff';
}