Bug 242405 Turning on QA contact causes taint error in Bugzilla/Series.pm when adding a component

patch by bugzilla@glob.com.au r=joel a=justdave

1 files changed, 15 insertions, 6 deletions

diff --git a/editcomponents.cgi b/editcomponents.cgi
index 4c00050fa..00c06912f 100755
--- a/editcomponents.cgi
+++ b/editcomponents.cgi
@@ -46,7 +46,7 @@ sub sillyness {
 
 my $dobugcounts = (defined $::FORM{'dobugcounts'});
 
-
+my $cgi = Bugzilla->cgi;
 
 # TestProduct:    just returns if the specified product does exists
 # CheckProduct:   same check, optionally  emit an error text
@@ -458,12 +458,21 @@ if ($action eq 'new') {
 
     # For localisation reasons, we get the title of the queries from the
     # submitted form.
+    my $open_name = $cgi->param('open_name');
+    my $closed_name = $cgi->param('closed_name');
     my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
-    my $statuses = join("&", map { "bug_status=$_" } @openedstatuses);
-    push(@series, [$::FORM{'open_name'}, $statuses . $prodcomp]);
-
-    my $resolved = "field0-0-0=resolution&type0-0-0=notequals&value0-0-0=---";
-    push(@series, [$::FORM{'closed_name'}, $resolved . $prodcomp]);
+    my $statuses = join("&", map { "bug_status=$_" } @openedstatuses) . $prodcomp;
+    my $resolved = "field0-0-0=resolution&type0-0-0=notequals&value0-0-0=---" . $prodcomp;
+
+    # trick_taint is ok here, as these variables aren't used as a command
+    # or in SQL unquoted
+    trick_taint($open_name);
+    trick_taint($closed_name);
+    trick_taint($statuses);
+    trick_taint($resolved);
+
+    push(@series, [$open_name, $statuses]);
+    push(@series, [$closed_name, $resolved]);
 
     foreach my $sdata (@series) {
         my $series = new Bugzilla::Series(undef, $product, $component,