1 files changed, 13 insertions, 6 deletions

diff --git a/CGI.pl b/CGI.pl
index e245c1db4..16ec7f2d8 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -93,6 +93,9 @@ sub url_quote {
 
 
 sub ParseUrlString {
+    # We don't want to detaint the user supplied data...
+    use re 'taint';
+
     my ($buffer, $f, $m) = (@_);
     undef %$f;
     undef %$m;
@@ -118,6 +121,7 @@ sub ParseUrlString {
             $name = $item;
             $value = "";
         }
+
         if ($value ne "") {
             if (defined $f->{$name}) {
                 $f->{$name} .= $value;
@@ -141,7 +145,6 @@ sub ParseUrlString {
     }
 }
 
-
 sub ProcessFormFields {
     my ($buffer) = (@_);
     return ParseUrlString($buffer, \%::FORM, \%::MFORM);
@@ -259,18 +262,18 @@ sub ValidateBugID {
     # Validates and verifies a bug ID, making sure the number is a 
     # positive integer, that it represents an existing bug in the
     # database, and that the user is authorized to access that bug.
+    # We detaint the number here, too
 
-    my ($id) = @_;
-
-    # Make sure the bug number is a positive integer.
-    # Whitespace can be ignored because the SQL server will ignore it.
-    $id =~ /^\s*([1-9][0-9]*)\s*$/
+    $_[0] = trim($_[0]); # Allow whitespace arround the number
+    detaint_natural($_[0])
       || DisplayError("The bug number is invalid. If you are trying to use " .
                       "QuickSearch, you need to enable JavaScript in your " .
                       "browser. To help us fix this limitation, look " .
                       "<a href=\"http://bugzilla.mozilla.org/show_bug.cgi?id=70907\">here</a>.") 
       && exit;
 
+    my ($id) = @_;
+
     # Get the values of the usergroupset and userid global variables
     # and write them to local variables for use within this function,
     # setting those local variables to the default value of zero if
@@ -685,6 +688,8 @@ sub quietly_check_login() {
                     $::COOKIE{"Bugzilla_login"} = $loginname; # Makes sure case
                                                               # is in
                                                               # canonical form.
+                    # We've just verified that this is ok
+                    detaint_natural($::COOKIE{"Bugzilla_logincookie"});
                 } else {
                     $::disabledreason = $disabledtext;
                 }
@@ -1430,6 +1435,8 @@ if (defined $ENV{"REQUEST_METHOD"}) {
 
 
 if (defined $ENV{"HTTP_COOKIE"}) {
+    # Don't trust anything which came in as a cookie
+    use re 'taint';
     foreach my $pair (split(/;/, $ENV{"HTTP_COOKIE"})) {
         $pair = trim($pair);
         if ($pair =~ /^([^=]*)=(.*)$/) {