[SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword.

Patch by Joel Peshkin <bugreport@peshkin.net> r= justdave, zach a= justdave
author: justdave%syndicomm.com <> 2003-11-03 12:31:30 +0100
committer: justdave%syndicomm.com <> 2003-11-03 12:31:30 +0100
commit: a4e75a434f1fbbae4b438927ae02958baad7f1b7 (patch)
tree: 74a5ab12bbf20c934af898475a3f6c7303b68013 /editkeywords.cgi
parent: a30e5f2cf9b04a8a377186ecb3b90b4311d23894 (diff)
download: bugzilla-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.gz
bugzilla-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/editkeywords.cgi b/editkeywords.cgi
index 073dfbb9d..7af0c1a6c 100755
--- a/editkeywords.cgi
+++ b/editkeywords.cgi
@@ -126,6 +126,7 @@ unless (UserInGroup("editkeywords")) {
 
 
 my $action  = trim($::FORM{action}  || '');
+detaint_natural($::FORM{id});
 
 
 if ($action eq "") {
author	justdave%syndicomm.com <>	2003-11-03 12:31:30 +0100
committer	justdave%syndicomm.com <>	2003-11-03 12:31:30 +0100
commit	a4e75a434f1fbbae4b438927ae02958baad7f1b7 (patch)
tree	74a5ab12bbf20c934af898475a3f6c7303b68013 /editkeywords.cgi
parent	a30e5f2cf9b04a8a377186ecb3b90b4311d23894 (diff)
download	bugzilla-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.gz bugzilla-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.xz