From 4e6767d4c3d1b0b583f4ec076992345545294748 Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Sun, 20 Jan 2002 09:44:34 +0000 Subject: Fix for bug 108982: enable taint mode for all user-facing CGI files. Patch by Brad Baetz r= jake, justdave --- Attachment.pm | 1 - Bug.pm | 11 ++++++----- Bugzilla/Attachment.pm | 1 - Bugzilla/Bug.pm | 11 ++++++----- Bugzilla/Token.pm | 1 - CGI.pl | 19 +++++++++++++------ Token.pm | 1 - attachment.cgi | 8 +++++--- buglist.cgi | 20 ++++++++++++++++++-- bugzilla.dtd | 2 +- changepassword.cgi | 2 +- colchange.cgi | 4 +++- createaccount.cgi | 4 +++- createattachment.cgi | 4 +++- describecomponents.cgi | 4 +++- describekeywords.cgi | 4 +++- doeditparams.cgi | 4 +++- doeditvotes.cgi | 9 ++++----- duplicates.cgi | 5 ++++- enter_bug.cgi | 4 +++- globals.pl | 19 +++++++++++++++++++ long_list.cgi | 4 +++- move.pl | 5 ++++- new_comment.cgi | 2 +- post_bug.cgi | 4 +++- process_bug.cgi | 32 ++++++++++++++++++++++---------- queryhelp.cgi | 4 +++- quips.cgi | 4 +++- relogin.cgi | 4 +++- reports.cgi | 4 +++- sanitycheck.cgi | 4 +++- show_activity.cgi | 4 +++- show_bug.cgi | 4 +++- showattachment.cgi | 6 ++++-- showdependencygraph.cgi | 8 +++++++- showvotes.cgi | 6 ++++-- t/002goodperl.t | 33 ++++++++++++++++++++++++++++++--- token.cgi | 4 +++- userprefs.cgi | 4 +++- xml.cgi | 7 +++++-- 40 files changed, 208 insertions(+), 73 deletions(-) diff --git a/Attachment.pm b/Attachment.pm index 1ba194d77..acfa52f63 100644 --- a/Attachment.pm +++ b/Attachment.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/Bug.pm b/Bug.pm index 670b274eb..96ff0b8af 100755 --- a/Bug.pm +++ b/Bug.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -75,10 +74,12 @@ sub initBug { my $self = shift(); my ($bug_id, $user_id) = (@_); - - if ( (! defined $bug_id) || (!$bug_id) ) { - # no bug number given - return {}; + my $old_bug_id = $bug_id; + if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) { + # no bug number given + $self->{'bug_id'} = $old_bug_id; + $self->{'error'} = "InvalidBugId"; + return $self; } # default userid 0, or get DBID if you used an email address diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 1ba194d77..acfa52f63 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 670b274eb..96ff0b8af 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -75,10 +74,12 @@ sub initBug { my $self = shift(); my ($bug_id, $user_id) = (@_); - - if ( (! defined $bug_id) || (!$bug_id) ) { - # no bug number given - return {}; + my $old_bug_id = $bug_id; + if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) { + # no bug number given + $self->{'bug_id'} = $old_bug_id; + $self->{'error'} = "InvalidBugId"; + return $self; } # default userid 0, or get DBID if you used an email address diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 185884c98..f2c5fbde7 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/CGI.pl b/CGI.pl index e245c1db4..16ec7f2d8 100644 --- a/CGI.pl +++ b/CGI.pl @@ -93,6 +93,9 @@ sub url_quote { sub ParseUrlString { + # We don't want to detaint the user supplied data... + use re 'taint'; + my ($buffer, $f, $m) = (@_); undef %$f; undef %$m; @@ -118,6 +121,7 @@ sub ParseUrlString { $name = $item; $value = ""; } + if ($value ne "") { if (defined $f->{$name}) { $f->{$name} .= $value; @@ -141,7 +145,6 @@ sub ParseUrlString { } } - sub ProcessFormFields { my ($buffer) = (@_); return ParseUrlString($buffer, \%::FORM, \%::MFORM); @@ -259,18 +262,18 @@ sub ValidateBugID { # Validates and verifies a bug ID, making sure the number is a # positive integer, that it represents an existing bug in the # database, and that the user is authorized to access that bug. + # We detaint the number here, too - my ($id) = @_; - - # Make sure the bug number is a positive integer. - # Whitespace can be ignored because the SQL server will ignore it. - $id =~ /^\s*([1-9][0-9]*)\s*$/ + $_[0] = trim($_[0]); # Allow whitespace arround the number + detaint_natural($_[0]) || DisplayError("The bug number is invalid. If you are trying to use " . "QuickSearch, you need to enable JavaScript in your " . "browser. To help us fix this limitation, look " . "here.") && exit; + my ($id) = @_; + # Get the values of the usergroupset and userid global variables # and write them to local variables for use within this function, # setting those local variables to the default value of zero if @@ -685,6 +688,8 @@ sub quietly_check_login() { $::COOKIE{"Bugzilla_login"} = $loginname; # Makes sure case # is in # canonical form. + # We've just verified that this is ok + detaint_natural($::COOKIE{"Bugzilla_logincookie"}); } else { $::disabledreason = $disabledtext; } @@ -1430,6 +1435,8 @@ if (defined $ENV{"REQUEST_METHOD"}) { if (defined $ENV{"HTTP_COOKIE"}) { + # Don't trust anything which came in as a cookie + use re 'taint'; foreach my $pair (split(/;/, $ENV{"HTTP_COOKIE"})) { $pair = trim($pair); if ($pair =~ /^([^=]*)=(.*)$/) { diff --git a/Token.pm b/Token.pm index 185884c98..f2c5fbde7 100644 --- a/Token.pm +++ b/Token.pm @@ -1,4 +1,3 @@ -#!/usr/bonsaitools/bin/perl -w # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/attachment.cgi b/attachment.cgi index e5c3f52fe..5996aa86d 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -29,6 +29,8 @@ use diagnostics; use strict; +use lib qw(.); + # Include the Bugzilla CGI and general utility library. require "CGI.pl"; @@ -139,10 +141,10 @@ exit; sub validateID { - # Validate the value of the "id" form field, which must contain a positive + # Validate the value of the "id" form field, which must contain an # integer that is the ID of an existing attachment. - $::FORM{'id'} =~ /^[1-9][0-9]*$/ + detaint_natural($::FORM{'id'}) || DisplayError("You did not enter a valid attachment number.") && exit; diff --git a/buglist.cgi b/buglist.cgi index d74563f25..ce67f648e 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -26,6 +26,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; use Date::Parse; @@ -783,6 +785,11 @@ sub GenerateSQL { die "Internal error: $errstr" if $chart < 0; return Error($errstr); } + + # This is either from the internal chart (in which case we + # already know about it), or it was in %chartfields, so it is + # a valid field name, which means that its ok. + trick_taint($f); $q = SqlQuote($v); my $func; $term = undef; @@ -1067,7 +1074,15 @@ my @fields = ("bugs.bug_id", "bugs.groupset"); foreach my $c (@collist) { if (exists $::needquote{$c}) { - push(@fields, "$::key{$c}"); + # The value we are actually using is $::key{$c}, which was created + # using the DefCol() function earlier. We test for the existance + # of $::needsquote{$c} to find out if $c is a legitimate key in the + # hashes that were defined by DefCol(). If $::needsquote{$c} exists, + # then $c is valid and we can use it to look up our key. + # If it doesn't exist, then we know the user is screwing with us + # and we'll just skip it. + trick_taint($c); + push(@fields, $::key{$c}); } } @@ -1142,6 +1157,7 @@ if (defined $::FORM{'order'} && $::FORM{'order'} ne "") { } die "Invalid order: $::FORM{'order'}" unless $::FORM{'order'} =~ /^([a-zA-Z0-9_., ]+)$/; + $::FORM{'order'} = $1; # detaint this, since we've checked it # Extra special disgusting hack: if we are ordering by target_milestone, # change it to order by the sortkey of the target_milestone first. diff --git a/bugzilla.dtd b/bugzilla.dtd index a443a953a..21fbb1dab 100644 --- a/bugzilla.dtd +++ b/bugzilla.dtd @@ -8,7 +8,7 @@ priority, version, rep_platform, assigned_to, delta_ts, component, reporter, target_milestone?, bug_severity, creation_ts, qa_contact?, status_whiteboard?, op_sys, short_desc?, keywords*, dependson*, blocks*, cc*, long_desc?, attachment*)> - + diff --git a/changepassword.cgi b/changepassword.cgi index 73ae90350..dafe5c1ae 100755 --- a/changepassword.cgi +++ b/changepassword.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/colchange.cgi b/colchange.cgi index f96559885..89150b5d4 100755 --- a/colchange.cgi +++ b/colchange.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,8 @@ use diagnostics; use strict; +use lib qw(.); + sub sillyness { # shut up "used only once" warnings my $zz = @::legal_keywords; } diff --git a/createaccount.cgi b/createaccount.cgi index 4e5f6d49d..839b81fb3 100755 --- a/createaccount.cgi +++ b/createaccount.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -26,6 +26,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; # Shut up misguided -w warnings about "used only once": diff --git a/createattachment.cgi b/createattachment.cgi index d665e4498..ed8308cac 100755 --- a/createattachment.cgi +++ b/createattachment.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; use vars %::COOKIE, %::FILENAME; diff --git a/describecomponents.cgi b/describecomponents.cgi index bf6f94a34..9a2b99cc2 100755 --- a/describecomponents.cgi +++ b/describecomponents.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -25,6 +25,8 @@ use vars %::FORM; use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); diff --git a/describekeywords.cgi b/describekeywords.cgi index 6e23ca63d..3475fb6eb 100755 --- a/describekeywords.cgi +++ b/describekeywords.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); diff --git a/doeditparams.cgi b/doeditparams.cgi index a67175e91..7390333c0 100755 --- a/doeditparams.cgi +++ b/doeditparams.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; require "defparams.pl"; diff --git a/doeditvotes.cgi b/doeditvotes.cgi index 94c36b8f4..4d88e13c9 100755 --- a/doeditvotes.cgi +++ b/doeditvotes.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); @@ -67,9 +69,6 @@ if (0 == @buglist) { # minus sign). foreach my $id (@buglist) { ValidateBugID($id); - ($::FORM{$id} =~ /^\d+$/) - || DisplayError("Only use non-negative numbers for your bug votes.") - && exit; } ###################################################################### @@ -144,7 +143,7 @@ while (MoreSQLData()) { } SendSQL("delete from votes where who = $who"); foreach my $id (@buglist) { - if ($::FORM{$id} > 0) { + if (detaint_natural($::FORM{$id}) && $::FORM{$id} > 0) { SendSQL("insert into votes (who, bug_id, count) values ($who, $id, $::FORM{$id})"); } $affected{$id} = 1; diff --git a/duplicates.cgi b/duplicates.cgi index cd2d14c2a..78f29829f 100755 --- a/duplicates.cgi +++ b/duplicates.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -27,6 +27,9 @@ use diagnostics; use strict; use CGI "param"; use AnyDBM_File; + +use lib qw(.); + require "globals.pl"; require "CGI.pl"; diff --git a/enter_bug.cgi b/enter_bug.cgi index bd55b7363..f522f89c9 100755 --- a/enter_bug.cgi +++ b/enter_bug.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -35,6 +35,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; # Shut up misguided -w warnings about "used only once". "use vars" just diff --git a/globals.pl b/globals.pl index 87db566c1..36e1f86f1 100644 --- a/globals.pl +++ b/globals.pl @@ -194,8 +194,27 @@ sub SqlLog { } } +# This is from the perlsec page, slightly modifed to remove a warning +# From that page: +# This function makes use of the fact that the presence of +# tainted data anywhere within an expression renders the +# entire expression tainted. +# Don't ask me how it works... +sub is_tainted { + return not eval { my $foo = join('',@_), kill 0; 1; }; +} + sub SendSQL { my ($str, $dontshadow) = (@_); + + # Don't use DBI's taint stuff yet, because: + # a) We don't want out vars to be tainted (yet) + # b) We want to know who called SendSQL... + # Is there a better way to do b? + if (is_tainted($str)) { + die "Attempted to send tainted string to the database"; + } + my $iswrite = ($str =~ /^(INSERT|REPLACE|UPDATE|DELETE)/i); if ($iswrite && !$::dbwritesallowed) { die "Evil code attempted to write stuff to the shadow database."; diff --git a/long_list.cgi b/long_list.cgi index f6182d439..552457b06 100755 --- a/long_list.cgi +++ b/long_list.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; # Shut up misguided -w warnings about "used only once". "use vars" just diff --git a/move.pl b/move.pl index 37b8cb7ef..9647aee43 100755 --- a/move.pl +++ b/move.pl @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,9 @@ use diagnostics; use strict; + +use lib qw(.); + use Bug; require "CGI.pl"; $::lockcount = 0; diff --git a/new_comment.cgi b/new_comment.cgi index 7f428ef80..bed11b472 100755 --- a/new_comment.cgi +++ b/new_comment.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public diff --git a/post_bug.cgi b/post_bug.cgi index b2b843977..361cba848 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -25,6 +25,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; # Shut up misguided -w warnings about "used only once". For some reason, diff --git a/process_bug.cgi b/process_bug.cgi index ac2e239ef..13942ca5f 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -29,6 +29,8 @@ use strict; my $UserInEditGroupSet = -1; my $UserInCanConfirmGroupSet = -1; +use lib qw(.); + require "CGI.pl"; use RelationSet; @@ -42,6 +44,7 @@ use vars %::versions, %::legal_opsys, %::legal_platform, %::legal_priority, + %::settable_resolution, %::target_milestone, %::legal_severity, %::superusergroupset; @@ -58,13 +61,18 @@ my $requiremilestone = 0; # This list will either consist of a single bug number from the "id" # form/URL field or a series of numbers from multiple form/URL fields # named "id_x" where "x" is the bug number. +# For each bug being modified, make sure its ID is a valid bug number +# representing an existing bug that the user is authorized to access. my @idlist; if (defined $::FORM{'id'}) { + ValidateBugID($::FORM{'id'}); push @idlist, $::FORM{'id'}; } else { foreach my $i (keys %::FORM) { if ($i =~ /^id_([1-9][0-9]*)/) { - push @idlist, $1; + my $id = $1; + ValidateBugID($id); + push @idlist, $id; } } } @@ -74,12 +82,6 @@ scalar(@idlist) || DisplayError("You did not select any bugs to modify.") && exit; -# For each bug being modified, make sure its ID is a valid bug number -# representing an existing bug that the user is authorized to access. -foreach my $id (@idlist) { - ValidateBugID($id); -} - # If we are duping bugs, let's also make sure that we can change # the original. This takes care of issue A on bug 96085. if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") { @@ -538,7 +540,7 @@ sub ChangeResolution { my ($str) = (@_); if ($str ne $::dontchange) { DoComma(); - $::query .= "resolution = '$str'"; + $::query .= "resolution = " . SqlQuote($str); } } @@ -695,6 +697,8 @@ SWITCH: for ($::FORM{'knob'}) { last SWITCH; }; /^resolve$/ && CheckonComment( "resolve" ) && do { + # Check here, because its the only place we require the resolution + CheckFormField(\%::FORM, 'resolution', \@::settable_resolution); ChangeStatus('RESOLVED'); ChangeResolution($::FORM{'resolution'}); last SWITCH; @@ -1030,8 +1034,15 @@ The changes made were: foreach my $i (split('[\s,]+', $::FORM{$target})) { if ($i eq "") { next; + } + my $orig = $i; + if (!detaint_natural($i)) { + PuntTryAgain("$orig is not a legal bug number"); } + + # Don't use CanSeeBug, since we want to keep deps to bugs a + # user can't see SendSQL("select bug_id from bugs where bug_id = " . SqlQuote($i)); my $comp = FetchOneColumn(); @@ -1049,7 +1060,8 @@ The changes made were: my @stack = @{$deps{$target}}; while (@stack) { my $i = shift @stack; - SendSQL("select $target from dependencies where $me = $i"); + SendSQL("select $target from dependencies where $me = " . + SqlQuote($i)); while (MoreSQLData()) { my $t = FetchOneColumn(); if ($t == $id) { diff --git a/queryhelp.cgi b/queryhelp.cgi index 9206bc144..93cbef755 100755 --- a/queryhelp.cgi +++ b/queryhelp.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -27,6 +27,8 @@ use vars %::FORM; use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); diff --git a/quips.cgi b/quips.cgi index 897bf32d0..d6fff6cfa 100755 --- a/quips.cgi +++ b/quips.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; use vars ( %::FORM ); +use lib qw(.); + require "CGI.pl"; print "Content-type: text/html\n\n"; diff --git a/relogin.cgi b/relogin.cgi index 44fae4cc1..091a96e8d 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -25,6 +25,8 @@ use strict; use vars %::COOKIE; +use lib qw(.); + require "CGI.pl"; my $cookiepath = Param("cookiepath"); diff --git a/reports.cgi b/reports.cgi index 861622d73..0bdc062d1 100755 --- a/reports.cgi +++ b/reports.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -41,6 +41,8 @@ use diagnostics; use strict; +use lib qw(.); + eval "use GD"; my $use_gd = $@ ? 0 : 1; eval "use Chart::Lines"; diff --git a/sanitycheck.cgi b/sanitycheck.cgi index 1bf10f071..c85a3668e 100755 --- a/sanitycheck.cgi +++ b/sanitycheck.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; use vars %::FORM; diff --git a/show_activity.cgi b/show_activity.cgi index fccc21cd4..f8c55f0a1 100755 --- a/show_activity.cgi +++ b/show_activity.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); diff --git a/show_bug.cgi b/show_bug.cgi index c5b569a45..28eb66763 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); diff --git a/showattachment.cgi b/showattachment.cgi index 78143c550..70f5c6d66 100755 --- a/showattachment.cgi +++ b/showattachment.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -24,6 +24,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; if (!defined $::FORM{'attach_id'}) { @@ -43,7 +45,7 @@ ConnectToDatabase(); quietly_check_login(); -if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) { +if (!detaint_natural($::FORM{attach_id})) { DisplayError("Attachment ID should be numeric."); exit; } diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index a10afb896..4bb90d497 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,6 +23,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); @@ -168,6 +170,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey] # Cleanup any old .dot files created from previous runs. my $since = time() - 24 * 60 * 60; foreach my $f (glob("data/webdot/*.dot")) { + # Here we are deleting all old files. All entries are from the + # data/webdot/ directory. Since we're deleting the file (not following + # symlinks), this can't escape to delete anything it shouldn't + trick_taint($f); if (ModTime($f) < $since) { unlink $f; } diff --git a/showvotes.cgi b/showvotes.cgi index a6928bf84..6ed4bb8e4 100755 --- a/showvotes.cgi +++ b/showvotes.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -25,6 +25,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; ConnectToDatabase(); @@ -61,7 +63,7 @@ if (defined $::FORM{'voteon'}) { # Make sure the user ID is a positive integer representing an existing user. if (defined $::FORM{'user'}) { - $::FORM{'user'} =~ /^([1-9][0-9]*)$/ + detaint_natural($::FORM{'user'}) || DisplayError("The user number is invalid.") && exit; SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}"); diff --git a/t/002goodperl.t b/t/002goodperl.t index 9c99a799a..09a5f0324 100644 --- a/t/002goodperl.t +++ b/t/002goodperl.t @@ -55,13 +55,40 @@ foreach my $file (@testitems) { } my $file_line1 = ; close (FILE); + + $file =~ m/.*\.(.*)/; + my $ext = $1; + if ($file_line1 !~ /\/usr\/bonsaitools\/bin\/perl/) { ok(1,"$file does not have a shebang"); } else { - if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -w#) { - ok(1,"$file uses -w"); + my $flags; + if ($file eq "processmail") { + # special case processmail, which is tainted checked + $flags = "wT"; + } elsif (!defined $ext || $ext eq "pl") { + # standalone programs (eg syncshadowdb) aren't taint checked yet + $flags = "w"; + } elsif ($ext eq "pm") { + ok(0, "$file is a module, but has a shebang"); + next; + } elsif ($ext eq "cgi") { + # cgi files must be taint checked, but only the user-accessible + # ones have been checked so far + if ($file =~ m/^edit/) { + $flags = "w"; + } else { + $flags = "wT"; + } + } else { + ok(0, "$file has shebang but unknown extension"); + next; + } + + if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -$flags#) { + ok(1,"$file uses -$flags"); } else { - ok(0,"$file is MISSING -w --WARNING"); + ok(0,"$file is MISSING -$flags --WARNING"); } } } diff --git a/token.cgi b/token.cgi index 2fed15ad0..81ae29629 100755 --- a/token.cgi +++ b/token.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -28,6 +28,8 @@ use diagnostics; use strict; +use lib qw(.); + # Include the Bugzilla CGI and general utility library. require "CGI.pl"; diff --git a/userprefs.cgi b/userprefs.cgi index bc0f1d672..531d57c0e 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -22,6 +22,8 @@ use diagnostics; use strict; +use lib qw(.); + require "CGI.pl"; use RelationSet; diff --git a/xml.cgi b/xml.cgi index 51093890e..8b71b3837 100755 --- a/xml.cgi +++ b/xml.cgi @@ -1,4 +1,4 @@ -#!/usr/bonsaitools/bin/perl -w +#!/usr/bonsaitools/bin/perl -wT # -*- Mode: perl; indent-tabs-mode: nil -*- # # The contents of this file are subject to the Mozilla Public @@ -23,10 +23,13 @@ use diagnostics; use strict; + +use lib qw(.); + use Bug; require "CGI.pl"; -if (!defined $::FORM{'id'} || $::FORM{'id'} !~ /^\s*\d+(,\d+)*\s*$/) { +if (!defined $::FORM{'id'} || !$::FORM{'id'}) { print "Content-type: text/html\n\n"; PutHeader("Display as XML"); print "
\n"; -- cgit v1.2.3-24-g4f1b