Bug 238873: remove %FORM from buglist.cgi - Patch by Teemu Mannermaa <wicked@etlicon.fi> r=jouni a=justdave

1 files changed, 44 insertions, 38 deletions

diff --git a/buglist.cgi b/buglist.cgi
index cfcefee90..32459a058 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -69,7 +69,7 @@ if (length($::buffer) == 0) {
 ################################################################################
 
 # Whether or not the user wants to change multiple bugs.
-my $dotweak = $::FORM{'tweak'} ? 1 : 0;
+my $dotweak = $cgi->param('tweak') ? 1 : 0;
 
 # Log the user in
 if ($dotweak) {
@@ -85,9 +85,10 @@ else {
 }
 
 # Hack to support legacy applications that think the RDF ctype is at format=rdf.
-if ($::FORM{'format'} && $::FORM{'format'} eq "rdf" && !$::FORM{'ctype'}) { 
-    $::FORM{'ctype'} = "rdf";
-    delete($::FORM{'format'});
+if (defined $cgi->param('format') && $cgi->param('format') eq "rdf"
+    && !defined $cgi->param('ctype')) {
+    $cgi->param('ctype', "rdf");
+    $cgi->delete('format');
 }
 
 # The js ctype presents a security risk; a malicious site could use it  
@@ -96,14 +97,15 @@ if ($::FORM{'format'} && $::FORM{'format'} eq "rdf" && !$::FORM{'ctype'}) {
 #
 # Note that if and when this call clears cookies or has other persistent 
 # effects, we'll need to do this another way instead.
-if ((exists $::FORM{'ctype'}) && ($::FORM{'ctype'} eq "js")) {
+if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
     Bugzilla->logout_request();
 }
 
 # Determine the format in which the user would like to receive the output.
 # Uses the default format if the user did not specify an output format;
 # otherwise validates the user's choice against the list of available formats.
-my $format = GetFormat("list/list", $::FORM{'format'}, $::FORM{'ctype'});
+my $format = GetFormat("list/list", scalar $cgi->param('format'),
+                       scalar $cgi->param('ctype'));
 
 # Use server push to display a "Please wait..." message for the user while
 # executing their query if their browser supports it and they are viewing
@@ -120,10 +122,10 @@ my $serverpush =
       && $ENV{'HTTP_USER_AGENT'} =~ /Mozilla.[3-9]/ 
         && $ENV{'HTTP_USER_AGENT'} !~ /[Cc]ompatible/
           && $ENV{'HTTP_USER_AGENT'} !~ /WebKit/
-            && !defined($::FORM{'serverpush'})
-              || $::FORM{'serverpush'};
+            && !defined($cgi->param('serverpush'))
+              || $cgi->param('serverpush');
 
-my $order = $::FORM{'order'} || "";
+my $order = $cgi->param('order') || "";
 my $order_from_cookie = 0;  # True if $order set using the LASTORDER cookie
 
 # The params object to use for the actual query itself
@@ -131,7 +133,7 @@ my $params;
 
 # If the user is retrieving the last bug list they looked at, hack the buffer
 # storing the query string so that it looks like a query retrieving those bugs.
-if ($::FORM{'regetlastlist'}) {
+if (defined $cgi->param('regetlastlist')) {
     $cgi->cookie('BUGLIST') || ThrowUserError("missing_cookie");
 
     $order = "reuse last sort" unless $order;
@@ -159,10 +161,10 @@ if ($::buffer =~ /&cmd-/) {
 # we'll remove the relevance column from the lists of columns to display
 # and order by, since relevance only exists when doing a fulltext search.
 my $fulltext = 0;
-if ($::FORM{'content'}) { $fulltext = 1 }
-my @charts = map(/^field(\d-\d-\d)$/ ? $1 : (), keys %::FORM);
+if (defined $cgi->param('content')) { $fulltext = 1 }
+my @charts = map(/^field(\d-\d-\d)$/ ? $1 : (), $cgi->param());
 foreach my $chart (@charts) {
-    if ($::FORM{"field$chart"} eq 'content' && $::FORM{"value$chart"}) {
+    if ($cgi->param("field$chart") eq 'content' && $cgi->param("value$chart")) {
         $fulltext = 1;
         last;
     }
@@ -324,14 +326,14 @@ sub GetGroupsByUserId {
 # Command Execution
 ################################################################################
 
-$::FORM{'cmdtype'} ||= "";
-$::FORM{'remaction'} ||= "";
+$cgi->param('cmdtype', "") if !defined $cgi->param('cmdtype');
+$cgi->param('remaction', "") if !defined $cgi->param('remaction');
 
 # Backwards-compatibility - the old interface had cmdtype="runnamed" to run
 # a named command, and we can't break this because it's in bookmarks.
-if ($::FORM{'cmdtype'} eq "runnamed") {  
-    $::FORM{'cmdtype'} = "dorem"; 
-    $::FORM{'remaction'} = "run";
+if ($cgi->param('cmdtype') eq "runnamed") {  
+    $cgi->param('cmdtype', "dorem");
+    $cgi->param('remaction', "run");
 }
 
 # Now we're going to be running, so ensure that the params object is set up,
@@ -349,36 +351,36 @@ $params ||= new Bugzilla::CGI($cgi);
 my @time = localtime(time());
 my $date = sprintf "%04d-%02d-%02d", 1900+$time[5],$time[4]+1,$time[3];
 my $filename = "bugs-$date.$format->{extension}";
-if ($::FORM{'cmdtype'} eq "dorem" && $::FORM{'remaction'} =~ /^run/) {
-    $filename = "$::FORM{'namedcmd'}-$date.$format->{extension}";
+if ($cgi->param('cmdtype') eq "dorem" && $cgi->param('remaction') =~ /^run/) {
+    $filename = $cgi->param('namedcmd') . "-$date.$format->{extension}";
     # Remove white-space from the filename so the user cannot tamper
     # with the HTTP headers.
     $filename =~ s/\s/_/g;
 }
 
 # Take appropriate action based on user's request.
-if ($::FORM{'cmdtype'} eq "dorem") {  
-    if ($::FORM{'remaction'} eq "run") {
-        $::buffer = LookupNamedQuery($::FORM{"namedcmd"});
-        $vars->{'searchname'} = $::FORM{'namedcmd'};
+if ($cgi->param('cmdtype') eq "dorem") {  
+    if ($cgi->param('remaction') eq "run") {
+        $::buffer = LookupNamedQuery(scalar $cgi->param("namedcmd"));
+        $vars->{'searchname'} = $cgi->param('namedcmd');
         $vars->{'searchtype'} = "saved";
         $params = new Bugzilla::CGI($::buffer);
         $order = $params->param('order') || $order;
 
     }
-    elsif ($::FORM{'remaction'} eq "runseries") {
-        $::buffer = LookupSeries($::FORM{"series_id"});
-        $vars->{'searchname'} = $::FORM{'namedcmd'};
+    elsif ($cgi->param('remaction') eq "runseries") {
+        $::buffer = LookupSeries(scalar $cgi->param("series_id"));
+        $vars->{'searchname'} = $cgi->param('namedcmd');
         $vars->{'searchtype'} = "series";
         $params = new Bugzilla::CGI($::buffer);
         $order = $params->param('order') || $order;
     }
-    elsif ($::FORM{'remaction'} eq "forget") {
+    elsif ($cgi->param('remaction') eq "forget") {
         Bugzilla->login(LOGIN_REQUIRED);
         # Copy the name into a variable, so that we can trick_taint it for
         # the DB. We know it's safe, because we're using placeholders in 
         # the SQL, and the SQL is only a DELETE.
-        my $qname = $::FORM{'namedcmd'};
+        my $qname = $cgi->param('namedcmd');
         trick_taint($qname);
         $dbh->do("DELETE FROM namedqueries"
             . " WHERE userid = ? AND name = ?"
@@ -390,27 +392,28 @@ if ($::FORM{'cmdtype'} eq "dorem") {
         print $cgi->header();
         # Generate and return the UI (HTML page) from the appropriate template.
         $vars->{'message'} = "buglist_query_gone";
-        $vars->{'namedcmd'} = $::FORM{'namedcmd'};
+        $vars->{'namedcmd'} = $cgi->param('namedcmd');
         $vars->{'url'} = "query.cgi";
         $template->process("global/message.html.tmpl", $vars)
           || ThrowTemplateError($template->error());
         exit;
     }
 }
-elsif (($::FORM{'cmdtype'} eq "doit") && $::FORM{'remtype'}) {
-    if ($::FORM{'remtype'} eq "asdefault") {
+elsif (($cgi->param('cmdtype') eq "doit") && defined $cgi->param('remtype')) {
+    if ($cgi->param('remtype') eq "asdefault") {
         Bugzilla->login(LOGIN_REQUIRED);
         InsertNamedQuery(Bugzilla->user->id, DEFAULT_QUERY_NAME, $::buffer);
         $vars->{'message'} = "buglist_new_default_query";
     }
-    elsif ($::FORM{'remtype'} eq "asnamed") {
+    elsif ($cgi->param('remtype') eq "asnamed") {
         Bugzilla->login(LOGIN_REQUIRED);
         my $userid = Bugzilla->user->id;
-        my $query_name = $::FORM{'newqueryname'};
+        my $query_name = $cgi->param('newqueryname');
 
         my $tofooter = 1;
         my $existed_before = InsertNamedQuery($userid, $query_name, 
-                                              $::FORM{'newquery'}, $tofooter);
+                                              scalar $cgi->param('newquery'),
+                                              $tofooter);
         if ($existed_before) {
             $vars->{'message'} = "buglist_updated_named_query";
         }
@@ -762,8 +765,11 @@ my $search = new Bugzilla::Search('fields' => \@selectnames,
                                   'order' => \@orderstrings);
 my $query = $search->getSQL();
 
-if ($::FORM{'limit'} && detaint_natural($::FORM{'limit'})) {
-    $query .= " " . $dbh->sql_limit($::FORM{'limit'});
+if (defined $cgi->param('limit')) {
+    my $limit = $cgi->param('limit');
+    if (detaint_natural($limit)) {
+        $query .= " " . $dbh->sql_limit($limit);
+    }
 }
 elsif ($fulltext) {
     $query .= " " . $dbh->sql_limit(200);
@@ -774,7 +780,7 @@ elsif ($fulltext) {
 # Query Execution
 ################################################################################
 
-if ($::FORM{'debug'}) {
+if ($cgi->param('debug')) {
     $vars->{'debug'} = 1;
     $vars->{'query'} = $query;
 }