summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2014-10-06 16:25:06 +0200
committerDavid Lawrence <dkl@mozilla.com>2014-10-06 16:25:06 +0200
commitce590bf022ef6c2fc0c0c902d773ec7a53e7e4ad (patch)
tree3708d76568e9b7152fbb8dbe8c1b7b5690b8394c /Bugzilla
parentb07267acd0301aef84aa74fc4aea39481cea6ad5 (diff)
downloadbugzilla-ce590bf022ef6c2fc0c0c902d773ec7a53e7e4ad.tar.gz
bugzilla-ce590bf022ef6c2fc0c0c902d773ec7a53e7e4ad.tar.xz
Bug 1075578: [SECURITY] Improper filtering of CGI arguments
r=dkl,a=sgreen
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Attachment.pm13
-rw-r--r--Bugzilla/Chart.pm7
2 files changed, 10 insertions, 10 deletions
diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index 69939a657..fa8845358 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -911,10 +911,12 @@ sub get_content_type {
return 'text/plain' if ($cgi->param('ispatch') || $cgi->param('attach_text'));
my $content_type;
- if (!defined $cgi->param('contenttypemethod')) {
+ my $method = $cgi->param('contenttypemethod');
+
+ if (!defined $method) {
ThrowUserError("missing_content_type_method");
}
- elsif ($cgi->param('contenttypemethod') eq 'autodetect') {
+ elsif ($method eq 'autodetect') {
defined $cgi->upload('data') || ThrowUserError('file_not_specified');
# The user asked us to auto-detect the content type, so use the type
# specified in the HTTP request headers.
@@ -935,18 +937,17 @@ sub get_content_type {
$content_type = 'image/png';
}
}
- elsif ($cgi->param('contenttypemethod') eq 'list') {
+ elsif ($method eq 'list') {
# The user selected a content type from the list, so use their
# selection.
$content_type = $cgi->param('contenttypeselection');
}
- elsif ($cgi->param('contenttypemethod') eq 'manual') {
+ elsif ($method eq 'manual') {
# The user entered a content type manually, so use their entry.
$content_type = $cgi->param('contenttypeentry');
}
else {
- ThrowCodeError("illegal_content_type_method",
- { contenttypemethod => $cgi->param('contenttypemethod') });
+ ThrowCodeError("illegal_content_type_method", { contenttypemethod => $method });
}
return $content_type;
}
diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm
index dfbf32a51..8fd4706e4 100644
--- a/Bugzilla/Chart.pm
+++ b/Bugzilla/Chart.pm
@@ -110,10 +110,9 @@ sub init {
if ($self->{'datefrom'} && $self->{'dateto'} &&
$self->{'datefrom'} > $self->{'dateto'})
{
- ThrowUserError("misarranged_dates",
- {'datefrom' => $cgi->param('datefrom'),
- 'dateto' => $cgi->param('dateto')});
- }
+ ThrowUserError('misarranged_dates', { 'datefrom' => scalar $cgi->param('datefrom'),
+ 'dateto' => scalar $cgi->param('dateto') });
+ }
}
# Alter Chart so that the selected series are added to it.