diff options
Diffstat (limited to 'Bugzilla')
-rwxr-xr-x | Bugzilla/Bug.pm | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 32030a7c2..a82df3b69 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -50,7 +50,7 @@ use Bugzilla::Error; use base qw(Exporter); @Bugzilla::Bug::EXPORT = qw( AppendComment ValidateComment - bug_alias_to_id ValidateBugAlias + bug_alias_to_id ValidateBugAlias ValidateBugID RemoveVotes CheckIfVotedConfirmed ); @@ -1102,6 +1102,50 @@ sub CheckIfVotedConfirmed { # Field Validation # +# Validates and verifies a bug ID, making sure the number is a +# positive integer, that it represents an existing bug in the +# database, and that the user is authorized to access that bug. +# We detaint the number here, too. +sub ValidateBugID { + my ($id, $field) = @_; + my $dbh = Bugzilla->dbh; + my $user = Bugzilla->user; + + # Get rid of white-space around the ID. + $id = trim($id); + + # If the ID isn't a number, it might be an alias, so try to convert it. + my $alias = $id; + if (!detaint_natural($id)) { + $id = bug_alias_to_id($alias); + $id || ThrowUserError("invalid_bug_id_or_alias", + {'bug_id' => $alias, + 'field' => $field }); + } + + # Modify the calling code's original variable to contain the trimmed, + # converted-from-alias ID. + $_[0] = $id; + + # First check that the bug exists + $dbh->selectrow_array("SELECT bug_id FROM bugs WHERE bug_id = ?", undef, $id) + || ThrowUserError("invalid_bug_id_non_existent", {'bug_id' => $id}); + + return if (defined $field && ($field eq "dependson" || $field eq "blocked")); + + return if $user->can_see_bug($id); + + # The user did not pass any of the authorization tests, which means they + # are not authorized to see the bug. Display an error and stop execution. + # The error the user sees depends on whether or not they are logged in + # (i.e. $user->id contains the user's positive integer ID). + if ($user->id) { + ThrowUserError("bug_access_denied", {'bug_id' => $id}); + } else { + ThrowUserError("bug_access_query", {'bug_id' => $id}); + } +} + # ValidateBugAlias: # Check that the bug alias is valid and not used by another bug. If # curr_id is specified, verify the alias is not used for any other |