diff options
Diffstat (limited to 'buglist.cgi')
| -rwxr-xr-x | buglist.cgi | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/buglist.cgi b/buglist.cgi index 0aba4ecc0..18ad053dc 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -187,10 +187,14 @@ sub GenerateSQL { push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]); } - if (defined $F{'sql'}) { - die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/; - push(@wherepart, "( $F{'sql'} )"); - } +# This is evil. We should never allow a user to directly append SQL to +# any query without a huge amount of validation. Even then, it would +# be a bad idea. Beware that uncommenting this will allow someone to +# peak at virtually anything they want in the bugs database. +# if (defined $F{'sql'}) { +# die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/; +# push(@wherepart, "( $F{'sql'} )"); +# } my @legal_fields = ("product", "version", "rep_platform", "op_sys", "bug_status", "resolution", "priority", "bug_severity", |