From 7fd0299555cbc2ab398f1387afd9935cb8eb17ae Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 11 Oct 2016 10:26:32 -0400
Subject: Bug 1309229 - changing product results in Insecure dependency in
 parameter 3 of DBI::db=HASH(0x7f4caad58190)->selectcol_arrayref method call
 while running with -T switch at
 /data/www/bugzilla.mozilla.org/Bugzilla/Product.pm line 555.

---
 Bugzilla/Memcached.pm | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 memtaint.pl           | 14 ++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 memtaint.pl

diff --git a/Bugzilla/Memcached.pm b/Bugzilla/Memcached.pm
index cdadf4601..f73623720 100644
--- a/Bugzilla/Memcached.pm
+++ b/Bugzilla/Memcached.pm
@@ -12,6 +12,7 @@ use strict;
 use warnings;
 
 use Bugzilla::Error;
+use Bugzilla::Util qw(trick_taint);
 use Scalar::Util qw(blessed);
 use URI::Escape;
 use Encode;
@@ -246,7 +247,51 @@ sub _get {
 
     $key = $self->_encode_key($key)
         or return;
-    return $self->{memcached}->get($key);
+    my $value = $self->{memcached}->get($key);
+    return unless defined $value;
+
+    # detaint returned values
+    # hashes and arrays are detainted just one level deep
+    if (ref($value) eq 'HASH') {
+        _detaint_hashref($value);
+    }
+    elsif (ref($value) eq 'ARRAY') {
+        foreach my $value (@$value) {
+            next unless defined $value;
+            # arrays of hashes and arrays are common
+            if (ref($value) eq 'HASH') {
+                _detaint_hashref($value);
+            }
+            elsif (ref($value) eq 'ARRAY') {
+                _detaint_arrayref($value);
+            }
+            elsif (!ref($value)) {
+                trick_taint($value);
+            }
+        }
+    }
+    elsif (!ref($value)) {
+        trick_taint($value);
+    }
+    return $value;
+}
+
+sub _detaint_hashref {
+    my ($hashref) = @_;
+    foreach my $value (values %$hashref) {
+        if (defined($value) && !ref($value)) {
+            trick_taint($value);
+        }
+    }
+}
+
+sub _detaint_arrayref {
+    my ($arrayref) = @_;
+    foreach my $value (@$arrayref) {
+        if (defined($value) && !ref($value)) {
+            trick_taint($value);
+        }
+    }
 }
 
 sub _delete {
diff --git a/memtaint.pl b/memtaint.pl
new file mode 100644
index 000000000..54072dc49
--- /dev/null
+++ b/memtaint.pl
@@ -0,0 +1,14 @@
+use Cache::Memcached::Fast;
+use Devel::Peek;
+
+my $mc = Cache::Memcached::Fast->new( { servers => ['127.0.0.1:11211'] });
+
+my $v=[$ENV{PATH}];
+
+Dump($v->[0]);
+
+$mc->set("taint", $v);
+
+Dump($v->[0]);
+
+Dump($mc->get("taint")->[0]);
-- 
cgit v1.2.3-24-g4f1b