Bug 1250786 - Detainting of params.json

r=dylan,a=dylan

1 files changed, 4 insertions, 13 deletions

diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm
index d47577212..64f228915 100644
--- a/Bugzilla/Config.pm
+++ b/Bugzilla/Config.pm
@@ -292,32 +292,23 @@ sub write_params {
 }
 
 sub read_param_file {
-    my %params;
+    my $params;
     my $file = bz_locations()->{'datadir'} . '/params.json';
 
     if (-e $file) {
         my $data;
         read_file($file, binmode => ':utf8', buf_ref => \$data);
+        trick_taint($data);
 
         # If params.json has been manually edited and e.g. some quotes are
         # missing, we don't want JSON::XS to leak the content of the file
         # to all users in its error message, so we have to eval'uate it.
-        %params = eval { %{JSON::XS->new->decode($data)} };
+        $params = eval { JSON::XS->new->decode($data) };
         if ($@) {
             my $error_msg = (basename($0) eq 'checksetup.pl') ?
                 $@ : 'run checksetup.pl to see the details.';
             die "Error parsing $file: $error_msg";
         }
-        # JSON::XS doesn't detaint data for us.
-        foreach my $key (keys %params) {
-            if (ref($params{$key}) eq "ARRAY") {
-                foreach my $item (@{$params{$key}}) {
-                    trick_taint($item);
-                }
-            } else {
-                trick_taint($params{$key}) if defined $params{$key};
-            }
-        }
     }
     elsif ($ENV{'SERVER_SOFTWARE'}) {
         # We're in a CGI, but the params file doesn't exist. We can't
@@ -332,7 +323,7 @@ sub read_param_file {
         die "The $file file does not exist."
             . ' You probably need to run checksetup.pl.',
     }
-    return \%params;
+    return $params // {};
 }
 
 1;