Patch for bug 250265: fix taint issues with vote fields when editing products; patch by GavinS <bugzilla@chimpychompy.org> slightly updated by me; r=joel; a=justdave.

1 files changed, 13 insertions, 1 deletions

diff --git a/editproducts.cgi b/editproducts.cgi
index b0e6279e0..f41aaa9e5 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -1075,12 +1075,24 @@ if ($action eq 'update') {
     CheckProduct($productold);
     my $product_id = get_product_id($productold);
 
-    if ($maxvotesperbug !~ /^\d+$/ || $maxvotesperbug <= 0) {
+    if (!detaint_natural($maxvotesperbug) || $maxvotesperbug == 0) {
         print "Sorry, the max votes per bug must be a positive integer.";
         PutTrailer($localtrailer);
         exit;
     }
 
+    if (!detaint_natural($votesperuser)) {
+        print "Sorry, the votes per user must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
+    if (!detaint_natural($votestoconfirm)) {
+        print "Sorry, the votes to confirm must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
     # Note that we got the $product_id using $productold above so it will
     # remain static even after we rename the product in the database.