diff options
| author | justdave%syndicomm.com <> | 2001-12-30 14:46:24 +0100 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-12-30 14:46:24 +0100 |
| commit | 668ec7dae535ce543f13ef5a36830da7421e1e68 (patch) | |
| tree | 0d6cc71e092992eb066e89bdfa33937e6b95409f /buglist.cgi | |
| parent | d4f9c9fca320fa792f45e98204a1a7232f7c81a0 (diff) | |
| download | bugzilla-668ec7dae535ce543f13ef5a36830da7421e1e68.tar.gz bugzilla-668ec7dae535ce543f13ef5a36830da7421e1e68.tar.xz | |
SECURITY FIX for bug 109679: It was possible to send arbitrary SQL to buglist.cgi by altering the HTML form before submitting.
Patch by Dave Miller <justdave@syndicomm.com>
r= dkl, gerv
Diffstat (limited to 'buglist.cgi')
| -rwxr-xr-x | buglist.cgi | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/buglist.cgi b/buglist.cgi index d49e7ed25..d74563f25 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -639,7 +639,14 @@ sub GenerateSQL { push(@funcnames, $key); } + # first we delete any sign of "Chart #-1" from the HTML form hash + # since we want to guarantee the user didn't hide something here + my @badcharts = grep /^(field|type|value)-1-/, (keys %F); + foreach my $field (@badcharts) { + delete $F{$field}; + } + # now we take our special chart and stuff it into the form hash my $chart = -1; my $row = 0; foreach my $ref (@specialchart) { @@ -738,6 +745,13 @@ sub GenerateSQL { # out duplicates. # $suppstring = String which is pasted into query containing all table names + # get a list of field names to verify the user-submitted chart fields against + my %chartfields; + SendSQL("SELECT name FROM fielddefs"); + while (MoreSQLData()) { + my ($name) = FetchSQLData(); + $chartfields{$name} = 1; + } $row = 0; for ($chart=-1 ; @@ -759,6 +773,16 @@ sub GenerateSQL { if ($f eq "noop" || $t eq "noop" || $v eq "") { next; } + # chart -1 is generated by other code above, not from the user- + # submitted form, so we'll blindly accept any values in chart -1 + if ((!$chartfields{$f}) && ($chart != -1)) { + my $errstr = "Can't use " . html_quote($f) . " as a field name. " . + "If you think you're getting this in error, please copy the " . + "entire URL out of the address bar at the top of your browser " . + "window and email it to <109679\@bugzilla.org>"; + die "Internal error: $errstr" if $chart < 0; + return Error($errstr); + } $q = SqlQuote($v); my $func; $term = undef; |