From 89e86c9318b61fe67077d33e37cc625c06487581 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Mon, 21 May 2012 20:06:17 +0200 Subject: Bug 754090: Bugzilla::FlagType::match() crashes when the group parameter is not a number a=LpSolit --- Bugzilla/FlagType.pm | 14 ++++++++++++-- editflagtypes.cgi | 3 +++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index b4709212e..d313a62b9 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -664,7 +664,10 @@ sub sqlify_criteria { } if ($criteria->{product_id}) { my $product_id = $criteria->{product_id}; - + detaint_natural($product_id) + || ThrowCodeError('bad_arg', { argument => 'product_id', + function => 'Bugzilla::FlagType::sqlify_criteria' }); + # Add inclusions to the query, which simply involves joining the table # by flag type ID and target product/component. push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id"); @@ -681,6 +684,10 @@ sub sqlify_criteria { my $addl_join_clause = ""; if ($criteria->{component_id}) { my $component_id = $criteria->{component_id}; + detaint_natural($component_id) + || ThrowCodeError('bad_arg', { argument => 'component_id', + function => 'Bugzilla::FlagType::sqlify_criteria' }); + push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)"); $join_clause .= "AND (e.component_id = $component_id OR e.component_id IS NULL) "; } @@ -694,7 +701,10 @@ sub sqlify_criteria { } if ($criteria->{group}) { my $gid = $criteria->{group}; - detaint_natural($gid); + detaint_natural($gid) + || ThrowCodeError('bad_arg', { argument => 'group', + function => 'Bugzilla::FlagType::sqlify_criteria' }); + push(@criteria, "(flagtypes.grant_group_id = $gid " . " OR flagtypes.request_group_id = $gid)"); } diff --git a/editflagtypes.cgi b/editflagtypes.cgi index 4603aee38..e9c430d7d 100755 --- a/editflagtypes.cgi +++ b/editflagtypes.cgi @@ -141,6 +141,9 @@ if ($action eq 'list') { my $component_id = $component ? $component->id : 0; my $show_flag_counts = $cgi->param('show_flag_counts') ? 1 : 0; my $group_id = $cgi->param('group'); + if ($group_id) { + detaint_natural($group_id) || ThrowUserError('invalid_group_ID'); + } my $bug_flagtypes; my $attach_flagtypes; -- cgit v1.2.3-24-g4f1b