diff options
| -rw-r--r-- | Bugzilla/Search.pm | 8 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 38 | ||||
| -rwxr-xr-x | createaccount.cgi | 5 | ||||
| -rwxr-xr-x | editflagtypes.cgi | 5 | ||||
| -rwxr-xr-x | editusers.cgi | 15 | ||||
| -rwxr-xr-x | post_bug.cgi | 5 | ||||
| -rwxr-xr-x | process_bug.cgi | 4 | ||||
| -rwxr-xr-x | token.cgi | 7 | ||||
| -rwxr-xr-x | userprefs.cgi | 3 |
10 files changed, 58 insertions, 34 deletions
diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index 0b1ac94ba..6255ede5d 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -350,14 +350,18 @@ sub init { if ($params->param('deadlinefrom')){ $deadlinefrom = $params->param('deadlinefrom'); - Bugzilla::Util::ValidateDate($deadlinefrom, 'deadlinefrom'); + validate_date($deadlinefrom) + || ThrowUserError('illegal_date', {date => $deadlinefrom, + format => 'YYYY-MM-DD'}); $sql_deadlinefrom = &::SqlQuote($deadlinefrom); push(@wherepart, "bugs.deadline >= $sql_deadlinefrom"); } if ($params->param('deadlineto')){ $deadlineto = $params->param('deadlineto'); - Bugzilla::Util::ValidateDate($deadlineto, 'deadlineto'); + validate_date($deadlineto) + || ThrowUserError('illegal_date', {date => $deadlineto, + format => 'YYYY-MM-DD'}); $sql_deadlineto = &::SqlQuote($deadlineto); push(@wherepart, "bugs.deadline <= $sql_deadlineto"); } diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index ad0430449..ab70f06fa 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1184,7 +1184,7 @@ sub insert_new_user { $password ||= &::GenerateRandomPassword(); my $cryptpassword = bz_crypt($password); - # XXX - These should be moved into is_available_username or check_email_syntax + # XXX - These should be moved into is_available_username or validate_email_syntax # At the least, they shouldn't be here. They're safe for now, though. trick_taint($username); trick_taint($realname); diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index d70bc13dd..694f6f1c4 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -37,13 +37,13 @@ use base qw(Exporter); lsearch max min diff_arrays diff_strings trim wrap_comment find_wrap_point - format_time format_time_decimal + format_time format_time_decimal validate_date file_mod_time is_7bit_clean - bz_crypt check_email_syntax); + bz_crypt validate_email_syntax); use Bugzilla::Config; -use Bugzilla::Error; use Bugzilla::Constants; + use Date::Parse; use Date::Format; use Text::Wrap; @@ -349,16 +349,15 @@ sub bz_crypt { return $cryptedpassword; } -sub check_email_syntax { - my ($addr) = (@_); +sub validate_email_syntax { + my ($addr) = @_; my $match = Param('emailregexp'); - if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) { - ThrowUserError("illegal_email_address", { addr => $addr }); - } + my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); + return $ret ? 1 : 0; } -sub ValidateDate { - my ($date, $format) = @_; +sub validate_date { + my ($date) = @_; my $date2; # $ts is undefined if the parser fails. @@ -369,9 +368,8 @@ sub ValidateDate { $date =~ s/(\d+)-0*(\d+?)-0*(\d+?)/$1-$2-$3/; $date2 =~ s/(\d+)-0*(\d+?)-0*(\d+?)/$1-$2-$3/; } - if (!$ts || $date ne $date2) { - ThrowUserError('illegal_date', {date => $date, format => $format}); - } + my $ret = ($ts && $date eq $date2); + return $ret ? 1 : 0; } sub is_7bit_clean { @@ -431,7 +429,8 @@ Bugzilla::Util - Generic utility functions for bugzilla $crypted_password = bz_crypt($password); # Validation Functions - check_email_syntax($email); + validate_email_syntax($email); + validate_date($date); =head1 DESCRIPTION @@ -670,9 +669,14 @@ characters of the password to anyone who views the encrypted version. =over 4 -=item C<check_email_syntax($email)> +=item C<validate_email_syntax($email)> + +Do a syntax checking for a legal email address and returns 1 if +the check is successful, else returns 0. + +=item C<validate_date($date)> -Do a syntax checking for a legal email address. An error is thrown -if the validation fails. +Make sure the date has the correct format and returns 1 if +the check is successful, else returns 0. =back diff --git a/createaccount.cgi b/createaccount.cgi index 29b3c00ec..1be63756d 100755 --- a/createaccount.cgi +++ b/createaccount.cgi @@ -63,7 +63,10 @@ my $login = $cgi->param('login'); if (defined($login)) { # We've been asked to create an account. my $realname = trim($cgi->param('realname')); - check_email_syntax($login); + + validate_email_syntax($login) + || ThrowUserError('illegal_email_address', {addr => $login}); + $vars->{'login'} = $login; $dbh->bz_lock_tables('profiles WRITE', 'email_setting WRITE', 'tokens READ'); diff --git a/editflagtypes.cgi b/editflagtypes.cgi index bcf811f94..a7c1a5541 100755 --- a/editflagtypes.cgi +++ b/editflagtypes.cgi @@ -489,7 +489,10 @@ sub validateCCList { { cc_list => $cgi->param('cc_list') }); my @addresses = split(/[, ]+/, $cgi->param('cc_list')); - foreach my $address (@addresses) { check_email_syntax($address) } + foreach my $address (@addresses) { + validate_email_syntax($address) + || ThrowUserError('illegal_email_address', {addr => $address}); + } } sub validateProduct { diff --git a/editusers.cgi b/editusers.cgi index bada71af7..56c0a7635 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -169,9 +169,10 @@ if ($action eq 'search') { # Validity checks $login || ThrowUserError('user_login_required'); - check_email_syntax($login); - is_available_username($login) || ThrowUserError('account_exists', - {'email' => $login}); + validate_email_syntax($login) + || ThrowUserError('illegal_email_address', {addr => $login}); + is_available_username($login) + || ThrowUserError('account_exists', {email => $login}); ValidatePassword($password); # Login and password are validated now, and realname and disabledtext @@ -245,9 +246,11 @@ if ($action eq 'search') { if ($login ne $loginold) { # Validate, then trick_taint. $login || ThrowUserError('user_login_required'); - check_email_syntax($login); - is_available_username($login) || ThrowUserError('account_exists', - {'email' => $login}); + validate_email_syntax($login) + || ThrowUserError('illegal_email_address', {addr => $login}); + is_available_username($login) + || ThrowUserError('account_exists', {email => $login}); + trick_taint($login); push(@changedFields, 'login_name'); push(@values, $login); diff --git a/post_bug.cgi b/post_bug.cgi index 1b5b329db..db95cbc5e 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -29,6 +29,7 @@ use lib qw(.); require "globals.pl"; use Bugzilla; use Bugzilla::Constants; +use Bugzilla::Util; use Bugzilla::Bug; use Bugzilla::User; use Bugzilla::Field; @@ -309,7 +310,9 @@ if (UserInGroup(Param("timetrackinggroup")) && } if ((UserInGroup(Param("timetrackinggroup"))) && ($cgi->param('deadline'))) { - Bugzilla::Util::ValidateDate($cgi->param('deadline'), 'YYYY-MM-DD'); + validate_date($cgi->param('deadline')) + || ThrowUserError('illegal_date', {date => $cgi->param('deadline'), + format => 'YYYY-MM-DD'}); $sql .= SqlQuote($cgi->param('deadline')); } else { $sql .= "NULL"; diff --git a/process_bug.cgi b/process_bug.cgi index b1b9c8050..b330615ce 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -1103,7 +1103,9 @@ if (UserInGroup(Param('timetrackinggroup'))) { DoComma(); $::query .= "deadline = "; if ($cgi->param('deadline')) { - Bugzilla::Util::ValidateDate($cgi->param('deadline'), 'YYYY-MM-DD'); + validate_date($cgi->param('deadline')) + || ThrowUserError('illegal_date', {date => $cgi->param('deadline'), + format => 'YYYY-MM-DD'}); $::query .= SqlQuote($cgi->param('deadline')); } else { $::query .= "NULL" ; @@ -110,9 +110,10 @@ if ( $::action eq 'reqpw' ) { ThrowUserError("password_change_requests_not_allowed"); } - # Make sure the login name looks like an email address. This function - # displays its own error and stops execution if the login name looks wrong. - check_email_syntax($cgi->param('loginname')); + # Make sure the login name looks like an email address. + validate_email_syntax($cgi->param('loginname')) + || ThrowUserError('illegal_email_address', + {addr => $cgi->param('loginname')}); my $quotedloginname = SqlQuote($cgi->param('loginname')); SendSQL("SELECT userid FROM profiles WHERE " . diff --git a/userprefs.cgi b/userprefs.cgi index 0a6ffe288..065dcb472 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -117,7 +117,8 @@ sub SaveAccount { } # Before changing an email address, confirm one does not exist. - check_email_syntax($new_login_name); + validate_email_syntax($new_login_name) + || ThrowUserError('illegal_email_address', {addr => $new_login_name}); trick_taint($new_login_name); is_available_username($new_login_name) || ThrowUserError("account_exists", {email => $new_login_name}); |