summaryrefslogtreecommitdiffstats
path: root/report.cgi
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-03-06 22:08:55 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-03-06 22:08:55 +0100
commit4357cedbbe2f046c3354b575df4e7b63f45252e6 (patch)
treedb19a51918c714a4ba5e18fa75f500af59b9c99b /report.cgi
parentebe30fe4ed3caedadccd9ffee7dbd63d3d164572 (diff)
downloadbugzilla-4357cedbbe2f046c3354b575df4e7b63f45252e6.tar.gz
bugzilla-4357cedbbe2f046c3354b575df4e7b63f45252e6.tar.xz
Bug 545610: Correctly parse CGI parameters, especially when using mod_perl
r=gerv a=LpSolit
Diffstat (limited to 'report.cgi')
-rwxr-xr-xreport.cgi23
1 files changed, 15 insertions, 8 deletions
diff --git a/report.cgi b/report.cgi
index e562d814a..83561fde5 100755
--- a/report.cgi
+++ b/report.cgi
@@ -21,7 +21,6 @@ use List::MoreUtils qw(uniq);
my $cgi = Bugzilla->cgi;
my $template = Bugzilla->template;
my $vars = {};
-my $buffer = $cgi->query_string();
# Go straight back to query.cgi if we are adding a boolean chart.
if (grep(/^cmd-/, $cgi->param())) {
@@ -34,9 +33,6 @@ if (grep(/^cmd-/, $cgi->param())) {
}
Bugzilla->login();
-
-my $dbh = Bugzilla->switch_to_shadow_db();
-
my $action = $cgi->param('action') || 'menu';
if ($action eq "menu") {
@@ -47,6 +43,9 @@ if ($action eq "menu") {
exit;
}
+# Sanitize the URL, to make URLs shorter.
+$cgi->clean_search_url;
+
my $col_field = $cgi->param('x_axis_field') || '';
my $row_field = $cgi->param('y_axis_field') || '';
my $tbl_field = $cgi->param('z_axis_field') || '';
@@ -120,6 +119,7 @@ my $query = $search->sql;
$::SIG{TERM} = 'DEFAULT';
$::SIG{PIPE} = 'DEFAULT';
+my $dbh = Bugzilla->switch_to_shadow_db();
my $results = $dbh->selectall_arrayref($query);
# We have a hash of hashes for the data itself, and a hash to hold the
@@ -228,10 +228,10 @@ if ($action eq "wrap") {
# We need to keep track of the defined restrictions on each of the
# axes, because buglistbase, below, throws them away. Without this, we
# get buglistlinks wrong if there is a restriction on an axis field.
- $vars->{'col_vals'} = join("&", $buffer =~ /[&?]($col_field=[^&]+)/g);
- $vars->{'row_vals'} = join("&", $buffer =~ /[&?]($row_field=[^&]+)/g);
- $vars->{'tbl_vals'} = join("&", $buffer =~ /[&?]($tbl_field=[^&]+)/g);
-
+ $vars->{'col_vals'} = get_field_restrictions($col_field);
+ $vars->{'row_vals'} = get_field_restrictions($row_field);
+ $vars->{'tbl_vals'} = get_field_restrictions($tbl_field);
+
# We need a number of different variants of the base URL for different
# URLs in the HTML.
$vars->{'buglistbase'} = $cgi->canonicalise_query(
@@ -331,3 +331,10 @@ sub check_value {
}
return $value;
}
+
+sub get_field_restrictions {
+ my $field = shift;
+ my $cgi = Bugzilla->cgi;
+
+ return join('&', map {"$field=$_"} $cgi->param($field));
+}