diff options
author | justdave%syndicomm.com <> | 2002-01-20 10:44:34 +0100 |
---|---|---|
committer | justdave%syndicomm.com <> | 2002-01-20 10:44:34 +0100 |
commit | 4e6767d4c3d1b0b583f4ec076992345545294748 (patch) | |
tree | 44d10a299f4d910400fb420b38e21e769c00be7e /process_bug.cgi | |
parent | 72f340e3a12668c9356102c71f864afa986e001a (diff) | |
download | bugzilla-4e6767d4c3d1b0b583f4ec076992345545294748.tar.gz bugzilla-4e6767d4c3d1b0b583f4ec076992345545294748.tar.xz |
Fix for bug 108982: enable taint mode for all user-facing CGI files.
Patch by Brad Baetz <bbaetz@student.usyd.edu.au>
r= jake, justdave
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-x | process_bug.cgi | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index ac2e239ef..13942ca5f 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -29,6 +29,8 @@ use strict; my $UserInEditGroupSet = -1; my $UserInCanConfirmGroupSet = -1; +use lib qw(.); + require "CGI.pl"; use RelationSet; @@ -42,6 +44,7 @@ use vars %::versions, %::legal_opsys, %::legal_platform, %::legal_priority, + %::settable_resolution, %::target_milestone, %::legal_severity, %::superusergroupset; @@ -58,13 +61,18 @@ my $requiremilestone = 0; # This list will either consist of a single bug number from the "id" # form/URL field or a series of numbers from multiple form/URL fields # named "id_x" where "x" is the bug number. +# For each bug being modified, make sure its ID is a valid bug number +# representing an existing bug that the user is authorized to access. my @idlist; if (defined $::FORM{'id'}) { + ValidateBugID($::FORM{'id'}); push @idlist, $::FORM{'id'}; } else { foreach my $i (keys %::FORM) { if ($i =~ /^id_([1-9][0-9]*)/) { - push @idlist, $1; + my $id = $1; + ValidateBugID($id); + push @idlist, $id; } } } @@ -74,12 +82,6 @@ scalar(@idlist) || DisplayError("You did not select any bugs to modify.") && exit; -# For each bug being modified, make sure its ID is a valid bug number -# representing an existing bug that the user is authorized to access. -foreach my $id (@idlist) { - ValidateBugID($id); -} - # If we are duping bugs, let's also make sure that we can change # the original. This takes care of issue A on bug 96085. if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") { @@ -538,7 +540,7 @@ sub ChangeResolution { my ($str) = (@_); if ($str ne $::dontchange) { DoComma(); - $::query .= "resolution = '$str'"; + $::query .= "resolution = " . SqlQuote($str); } } @@ -695,6 +697,8 @@ SWITCH: for ($::FORM{'knob'}) { last SWITCH; }; /^resolve$/ && CheckonComment( "resolve" ) && do { + # Check here, because its the only place we require the resolution + CheckFormField(\%::FORM, 'resolution', \@::settable_resolution); ChangeStatus('RESOLVED'); ChangeResolution($::FORM{'resolution'}); last SWITCH; @@ -1030,8 +1034,15 @@ The changes made were: foreach my $i (split('[\s,]+', $::FORM{$target})) { if ($i eq "") { next; + } + my $orig = $i; + if (!detaint_natural($i)) { + PuntTryAgain("$orig is not a legal bug number"); } + + # Don't use CanSeeBug, since we want to keep deps to bugs a + # user can't see SendSQL("select bug_id from bugs where bug_id = " . SqlQuote($i)); my $comp = FetchOneColumn(); @@ -1049,7 +1060,8 @@ The changes made were: my @stack = @{$deps{$target}}; while (@stack) { my $i = shift @stack; - SendSQL("select $target from dependencies where $me = $i"); + SendSQL("select $target from dependencies where $me = " . + SqlQuote($i)); while (MoreSQLData()) { my $t = FetchOneColumn(); if ($t == $id) { |