diff options
author | myk%mozilla.org <> | 2001-11-08 09:49:18 +0100 |
---|---|---|
committer | myk%mozilla.org <> | 2001-11-08 09:49:18 +0100 |
commit | 4b5278c7ba3654533b551a9ab5fab1c40c58d74d (patch) | |
tree | 1135548429931a0b2b77effa532507a0aaedcd12 /buglist.cgi | |
parent | e2a35933ed9e65075163f00b8346622babdeca48 (diff) | |
download | bugzilla-4b5278c7ba3654533b551a9ab5fab1c40c58d74d.tar.gz bugzilla-4b5278c7ba3654533b551a9ab5fab1c40c58d74d.tar.xz |
Fix for bug 108812: Prevent users from running queries containing arbitrary SQL.
Patch by Jake <jake@acutex.net>
r=bbaetz,myk
Diffstat (limited to 'buglist.cgi')
-rwxr-xr-x | buglist.cgi | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/buglist.cgi b/buglist.cgi index 0aba4ecc0..18ad053dc 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -187,10 +187,14 @@ sub GenerateSQL { push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]); } - if (defined $F{'sql'}) { - die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/; - push(@wherepart, "( $F{'sql'} )"); - } +# This is evil. We should never allow a user to directly append SQL to +# any query without a huge amount of validation. Even then, it would +# be a bad idea. Beware that uncommenting this will allow someone to +# peak at virtually anything they want in the bugs database. +# if (defined $F{'sql'}) { +# die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/; +# push(@wherepart, "( $F{'sql'} )"); +# } my @legal_fields = ("product", "version", "rep_platform", "op_sys", "bug_status", "resolution", "priority", "bug_severity", |