diff options
| -rwxr-xr-x | Bugzilla/Bug.pm | 46 | ||||
| -rw-r--r-- | CGI.pl | 45 | ||||
| -rwxr-xr-x | showdependencygraph.cgi | 1 | ||||
| -rwxr-xr-x | showdependencytree.cgi | 1 |
4 files changed, 47 insertions, 46 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 32030a7c2..a82df3b69 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -50,7 +50,7 @@ use Bugzilla::Error; use base qw(Exporter); @Bugzilla::Bug::EXPORT = qw( AppendComment ValidateComment - bug_alias_to_id ValidateBugAlias + bug_alias_to_id ValidateBugAlias ValidateBugID RemoveVotes CheckIfVotedConfirmed ); @@ -1102,6 +1102,50 @@ sub CheckIfVotedConfirmed { # Field Validation # +# Validates and verifies a bug ID, making sure the number is a +# positive integer, that it represents an existing bug in the +# database, and that the user is authorized to access that bug. +# We detaint the number here, too. +sub ValidateBugID { + my ($id, $field) = @_; + my $dbh = Bugzilla->dbh; + my $user = Bugzilla->user; + + # Get rid of white-space around the ID. + $id = trim($id); + + # If the ID isn't a number, it might be an alias, so try to convert it. + my $alias = $id; + if (!detaint_natural($id)) { + $id = bug_alias_to_id($alias); + $id || ThrowUserError("invalid_bug_id_or_alias", + {'bug_id' => $alias, + 'field' => $field }); + } + + # Modify the calling code's original variable to contain the trimmed, + # converted-from-alias ID. + $_[0] = $id; + + # First check that the bug exists + $dbh->selectrow_array("SELECT bug_id FROM bugs WHERE bug_id = ?", undef, $id) + || ThrowUserError("invalid_bug_id_non_existent", {'bug_id' => $id}); + + return if (defined $field && ($field eq "dependson" || $field eq "blocked")); + + return if $user->can_see_bug($id); + + # The user did not pass any of the authorization tests, which means they + # are not authorized to see the bug. Display an error and stop execution. + # The error the user sees depends on whether or not they are logged in + # (i.e. $user->id contains the user's positive integer ID). + if ($user->id) { + ThrowUserError("bug_access_denied", {'bug_id' => $id}); + } else { + ThrowUserError("bug_access_query", {'bug_id' => $id}); + } +} + # ValidateBugAlias: # Check that the bug alias is valid and not used by another bug. If # curr_id is specified, verify the alias is not used for any other @@ -107,51 +107,6 @@ sub CheckFormFieldDefined ($$) { } } -sub ValidateBugID { - # Validates and verifies a bug ID, making sure the number is a - # positive integer, that it represents an existing bug in the - # database, and that the user is authorized to access that bug. - # We detaint the number here, too - - my ($id, $field) = @_; - - # Get rid of white-space around the ID. - $id = trim($id); - - # If the ID isn't a number, it might be an alias, so try to convert it. - my $alias = $id; - if (!detaint_natural($id)) { - $id = bug_alias_to_id($alias); - $id || ThrowUserError("invalid_bug_id_or_alias", - {'bug_id' => $alias, - 'field' => $field }); - } - - # Modify the calling code's original variable to contain the trimmed, - # converted-from-alias ID. - $_[0] = $id; - - # First check that the bug exists - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $id"); - - FetchOneColumn() - || ThrowUserError("invalid_bug_id_non_existent", {'bug_id' => $id}); - - return if (defined $field && ($field eq "dependson" || $field eq "blocked")); - - return if Bugzilla->user->can_see_bug($id); - - # The user did not pass any of the authorization tests, which means they - # are not authorized to see the bug. Display an error and stop execution. - # The error the user sees depends on whether or not they are logged in - # (i.e. $::userid contains the user's positive integer ID). - if ($::userid) { - ThrowUserError("bug_access_denied", {'bug_id' => $id}); - } else { - ThrowUserError("bug_access_query", {'bug_id' => $id}); - } -} - sub CheckEmailSyntax { my ($addr) = (@_); my $match = Param('emailregexp'); diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 9591a284d..8a6aad925 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -30,6 +30,7 @@ use Bugzilla; use Bugzilla::Config qw(:DEFAULT $webdotdir); use Bugzilla::Util; use Bugzilla::BugMail; +use Bugzilla::Bug; require "CGI.pl"; diff --git a/showdependencytree.cgi b/showdependencytree.cgi index 76ef0ddee..e473357d1 100755 --- a/showdependencytree.cgi +++ b/showdependencytree.cgi @@ -28,6 +28,7 @@ use strict; use lib qw(.); require "CGI.pl"; use Bugzilla::User; +use Bugzilla::Bug; # Use global template variables. use vars qw($template $vars); |