summaryrefslogtreecommitdiffstats
path: root/post_bug.cgi
diff options
context:
space:
mode:
authorbbaetz%student.usyd.edu.au <>2002-03-01 14:39:25 +0100
committerbbaetz%student.usyd.edu.au <>2002-03-01 14:39:25 +0100
commitd0e08d069d70cfa2b3ece8eb83d6b6dd5d917ca5 (patch)
tree2a3127a6230a3400260a2582ea4fb346382b354a /post_bug.cgi
parent1d29501cf5dbd911fc807a498393d7cf4ea04f8f (diff)
downloadbugzilla-d0e08d069d70cfa2b3ece8eb83d6b6dd5d917ca5.tar.gz
bugzilla-d0e08d069d70cfa2b3ece8eb83d6b6dd5d917ca5.tar.xz
Bug 107743 - post_bug.cgi doesn't properly validate parameters
r=gerv, justdave
Diffstat (limited to 'post_bug.cgi')
-rwxr-xr-xpost_bug.cgi14
1 files changed, 11 insertions, 3 deletions
diff --git a/post_bug.cgi b/post_bug.cgi
index fa3fd075f..7152e37c6 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -39,7 +39,6 @@ sub sillyness {
$zz = %::COOKIE;
$zz = %::components;
$zz = %::versions;
- $zz = @::legal_bug_status;
$zz = @::legal_opsys;
$zz = @::legal_platform;
$zz = @::legal_priority;
@@ -122,7 +121,12 @@ if (Param("useqacontact")) {
}
if (exists $::FORM{'bug_status'}) {
- if (!UserInGroup("canedit") && !UserInGroup("canconfirm")) {
+ # Ignore the given status, so that we can set it to UNCONFIRMED
+ # or NEW, depending on votestoconfirm if either the given state was
+ # unconfirmed (so that a user can't override the below check), or if
+ # the user doesn't have permission to change the default status anyway
+ if ($::FORM{'bug_status'} == $::unconfirmedstate
+ || (!UserInGroup("canedit") && !UserInGroup("canconfirm"))) {
delete $::FORM{'bug_status'};
}
}
@@ -142,6 +146,10 @@ if (!exists $::FORM{'target_milestone'}) {
$::FORM{'target_milestone'} = FetchOneColumn();
}
+if (!Param('letsubmitterchoosepriority')) {
+ $::FORM{'priority'} = Param{'defaultpriority'};
+}
+
GetVersionTable();
CheckFormField(\%::FORM, 'product', \@::legal_product);
CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}});
@@ -152,7 +160,7 @@ CheckFormField(\%::FORM, 'bug_severity', \@::legal_severity);
CheckFormField(\%::FORM, 'priority', \@::legal_priority);
CheckFormField(\%::FORM, 'op_sys', \@::legal_opsys);
CheckFormFieldDefined(\%::FORM, 'assigned_to');
-CheckFormField(\%::FORM, 'bug_status', \@::legal_bug_status);
+CheckFormField(\%::FORM, 'bug_status', [$::unconfirmedstate, 'NEW']);
CheckFormFieldDefined(\%::FORM, 'bug_file_loc');
CheckFormField(\%::FORM, 'component',
\@{$::components{$::FORM{'product'}}});