From 90d86a9744883ccc120a0a955ffade72990e1505 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 14 Apr 2016 21:03:00 +0200 Subject: Bug 1088022 - Bump min version to CGI 4.09 r=dkl --- Bugzilla/Attachment.pm | 2 +- Bugzilla/CGI.pm | 75 ++++++---------------- Bugzilla/Chart.pm | 4 +- Bugzilla/Flag.pm | 12 ++-- Bugzilla/Search/Quicksearch.pm | 2 +- Bugzilla/Search/Saved.pm | 6 +- Bugzilla/Template.pm | 4 ++ Makefile.PL | 2 +- attachment.cgi | 10 +-- buglist.cgi | 7 +- chart.cgi | 8 +-- colchange.cgi | 11 ++-- config.cgi | 2 +- duplicates.cgi | 2 +- editclassifications.cgi | 4 +- editcomponents.cgi | 4 +- editfields.cgi | 24 +++---- editflagtypes.cgi | 18 +++--- editgroups.cgi | 28 ++++---- editproducts.cgi | 4 +- editusers.cgi | 16 ++--- editvalues.cgi | 4 +- editwhines.cgi | 4 +- enter_bug.cgi | 6 +- post_bug.cgi | 8 +-- process_bug.cgi | 24 +++---- query.cgi | 6 +- relogin.cgi | 7 +- report.cgi | 6 +- reports.cgi | 2 +- request.cgi | 14 ++-- sanitycheck.cgi | 2 +- show_bug.cgi | 8 +-- summarize_time.cgi | 6 +- t/004template.t | 10 ++- template/en/default/account/auth/login.html.tmpl | 2 +- template/en/default/attachment/midair.html.tmpl | 8 +-- .../en/default/bug/create/comment-guided.txt.tmpl | 22 +++---- template/en/default/bug/create/comment.txt.tmpl | 5 +- .../en/default/bug/create/create-guided.html.tmpl | 7 +- template/en/default/bug/process/header.html.tmpl | 6 +- template/en/default/bug/process/midair.html.tmpl | 20 +++--- .../bug/process/verify-new-product.html.tmpl | 13 ++-- template/en/default/bug/show.xml.tmpl | 5 +- .../en/default/global/confirm-user-match.html.tmpl | 6 +- template/en/default/global/hidden-fields.html.tmpl | 11 ++-- .../en/default/global/product-select.html.tmpl | 4 +- template/en/default/global/user-error.html.tmpl | 17 +++-- template/en/default/list/list.html.tmpl | 6 +- template/en/default/pages/linked.html.tmpl | 6 +- template/en/default/reports/keywords.html.tmpl | 4 +- template/en/default/request/queue.html.tmpl | 18 +++--- userprefs.cgi | 8 +-- xt/extensions/QA/Extension.pm | 4 +- 54 files changed, 240 insertions(+), 284 deletions(-) diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 78334ec18..ec318b021 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -1020,7 +1020,7 @@ sub get_content_type { # The user asked us to auto-detect the content type, so use the type # specified in the HTTP request headers. $content_type = - $cgi->uploadInfo($cgi->param('data'))->{'Content-Type'}; + $cgi->uploadInfo(scalar $cgi->param('data'))->{'Content-Type'}; $content_type || ThrowUserError("missing_content_type"); # Internet Explorer sends image/x-png for PNG images, diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 4258cd552..b341a86f1 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -18,6 +18,7 @@ use Bugzilla::Error; use Bugzilla::Util; use Bugzilla::Hook; use Bugzilla::Search::Recent; +use Bugzilla::Install::Util qw(i_am_persistent); use File::Basename; @@ -34,8 +35,7 @@ sub _init_bz_cgi_globals { # We don't precompile any functions here, that's done specially in # mod_perl code. - $invocant->_setup_symbols(qw(:no_xhtml :oldstyle_urls :private_tempfiles - :unique_headers)); + $invocant->_setup_symbols(qw(:no_xhtml :oldstyle_urls :unique_headers :utf8)); } BEGIN { __PACKAGE__->_init_bz_cgi_globals() if i_am_cgi(); } @@ -44,9 +44,7 @@ sub new { my ($invocant, @args) = @_; my $class = ref($invocant) || $invocant; - # Under mod_perl, CGI's global variables get reset on each request, - # so we need to set them up again every time. - $class->_init_bz_cgi_globals() if $ENV{MOD_PERL}; + $class->_init_bz_cgi_globals() if i_am_persistent(); my $self = $class->SUPER::new(@args); @@ -65,18 +63,11 @@ sub new { # Path-Info is of no use for Bugzilla and interacts badly with IIS. # Moreover, it causes unexpected behaviors, such as totally breaking # the rendering of pages. - if (my $path_info = $self->path_info) { + if ($self->script_name && $self->path_info) { my @whitelist = ("rest.cgi"); Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist }); if (!grep($_ eq $script, @whitelist)) { - # IIS includes the full path to the script in PATH_INFO, - # so we have to extract the real PATH_INFO from it, - # else we will be redirected outside Bugzilla. - my $script_name = $self->script_name; - $path_info =~ s/^\Q$script_name\E//; - if ($script_name && $path_info) { - print $self->redirect($self->url(-path => 0, -query => 1)); - } + print $self->redirect($self->url(-path => 0, -query => 1)); } } @@ -117,7 +108,7 @@ sub canonicalise_query { # Reconstruct the URL by concatenating the sorted param=value pairs my @parameters; - foreach my $key (sort($self->param())) { + foreach my $key (sort($self->multi_param())) { # Leave this key out if it's in the exclude list next if grep { $_ eq $key } @exclude; @@ -127,7 +118,7 @@ sub canonicalise_query { my $esc_key = url_quote($key); - foreach my $value ($self->param($key)) { + foreach my $value ($self->multi_param($key)) { # Omit params with an empty value if (defined($value) && $value ne '') { my $esc_value = url_quote($value); @@ -143,7 +134,7 @@ sub canonicalise_query { sub clean_search_url { my $self = shift; # Delete any empty URL parameter. - my @cgi_params = $self->param; + my @cgi_params = $self->multi_param(); foreach my $param (@cgi_params) { if (defined $self->param($param) && $self->param($param) eq '') { @@ -252,23 +243,12 @@ sub check_etag { # Have to add the cookies in. sub multipart_start { my $self = shift; - - my %args = @_; - - # CGI.pm::multipart_start doesn't honour its own charset information, so - # we do it ourselves here - if (defined $self->charset() && defined $args{-type}) { - # Remove any existing charset specifier - $args{-type} =~ s/;.*$//; - # and add the specified one - $args{-type} .= '; charset=' . $self->charset(); - } - - my $headers = $self->SUPER::multipart_start(%args); + # We have to explicitly pass the charset. + my $headers = $self->SUPER::multipart_start(@_, -charset => $self->charset()); # Eliminate the one extra CRLF at the end. $headers =~ s/$CGI::CRLF$//; # Add the cookies. We have to do it this way instead of - # passing them to multpart_start, because CGI.pm's multipart_start + # passing them to multipart_start, because CGI.pm's multipart_start # doesn't understand a '-cookie' argument pointing to an arrayref. foreach my $cookie (@{$self->{Bugzilla_cookie_list}}) { $headers .= "Set-Cookie: ${cookie}${CGI::CRLF}"; @@ -366,11 +346,15 @@ sub header { sub param { my $self = shift; - local $CGI::LIST_CONTEXT_WARN = 0; + + my @caller = caller(0); + if (wantarray && $caller[0] ne 'CGI') { + warn 'Illegal call to $cgi->param in list context from ' . $caller[0]; + } # When we are just requesting the value of a parameter... if (scalar(@_) == 1) { - my @result = $self->SUPER::param(@_); + my @result = $self->SUPER::multi_param(@_); # Also look at the URL parameters, after we look at the POST # parameters. This is to allow things like login-form submissions @@ -381,9 +365,6 @@ sub param { @result = $self->url_param(@_); } - # Fix UTF-8-ness of input parameters. - @result = map { _fix_utf8($_) } @result; - return wantarray ? @result : $result[0]; } # And for various other functions in CGI.pm, we need to correctly @@ -392,13 +373,13 @@ sub param { elsif (!scalar(@_) && $self->request_method && $self->request_method eq 'POST') { - my @post_params = $self->SUPER::param; + my @post_params = $self->SUPER::multi_param(); my @url_params = $self->url_param; my %params = map { $_ => 1 } (@post_params, @url_params); return keys %params; } - return $self->SUPER::param(@_); + return $self->SUPER::multi_param(@_); } sub url_param { @@ -409,13 +390,6 @@ sub url_param { return $self->SUPER::url_param(@_); } -sub _fix_utf8 { - my $input = shift; - # The is_utf8 is here in case CGI gets smart about utf8 someday. - utf8::decode($input) if defined $input && !ref $input && !utf8::is_utf8($input); - return $input; -} - sub should_set { my ($self, $param) = @_; my $set = (defined $self->param($param) @@ -609,21 +583,12 @@ sub STORE { sub FETCH { my ($self, $param) = @_; return $self if $param eq 'CGI'; # CGI.pm did this, so we do too. - my @result = $self->param($param); + my @result = $self->multi_param($param); return undef if !scalar(@result); return $result[0] if scalar(@result) == 1; return \@result; } -# For the Vars TIEHASH interface: the normal CGI.pm DELETE doesn't return -# the value deleted, but Perl's "delete" expects that value. -sub DELETE { - my ($self, $param) = @_; - my $value = $self->FETCH($param); - $self->delete($param); - return $value; -} - 1; __END__ diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm index d0a1312ad..f8d34fe6b 100644 --- a/Bugzilla/Chart.pm +++ b/Bugzilla/Chart.pm @@ -57,10 +57,10 @@ sub init { # &select0=1&select3=1... # &cumulate=1&datefrom=2002-02-03&dateto=2002-04-04&ctype=html... # >=1&labelgt=Grand+Total - foreach my $param ($cgi->param()) { + foreach my $param ($cgi->multi_param()) { # Store all the lines if ($param =~ /^line(\d+)$/a) { - foreach my $series_id ($cgi->param($param)) { + foreach my $series_id ($cgi->multi_param($param)) { detaint_natural($series_id) || ThrowCodeError("invalid_series_id"); my $series = new Bugzilla::Series($series_id); diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index 3d9540a94..6c8dab377 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -843,11 +843,11 @@ sub extract_flags_from_cgi { } # Extract a list of flag type IDs from field names. - my @flagtype_ids = map(/^flag_type-(\d+)$/a ? $1 : (), $cgi->param()); + my @flagtype_ids = map { /^flag_type-(\d+)$/a ? $1 : () } $cgi->multi_param(); @flagtype_ids = grep($cgi->param("flag_type-$_") ne 'X', @flagtype_ids); # Extract a list of existing flag IDs. - my @flag_ids = map(/^flag-(\d+)$/a ? $1 : (), $cgi->param()); + my @flag_ids = map { /^flag-(\d+)$/a ? $1 : () } $cgi->multi_param(); return ([], []) unless (scalar(@flagtype_ids) || scalar(@flag_ids)); @@ -863,7 +863,7 @@ sub extract_flags_from_cgi { # (i.e. they want more than one person to set the flag) we can reuse # the existing flag for the first person (who may well be the existing # requestee), but we have to create new flags for each additional requestee. - my @requestees = $cgi->param("requestee-$flag_id"); + my @requestees = $cgi->multi_param("requestee-$flag_id"); my $requestee_email; if ($status eq "?" && scalar(@requestees) > 1 @@ -935,7 +935,7 @@ sub extract_flags_from_cgi { my $status = $cgi->param("flag_type-$type_id"); trick_taint($status); - my @logins = $cgi->param("requestee_type-$type_id"); + my @logins = $cgi->multi_param("requestee_type-$type_id"); if ($status eq "?" && scalar(@logins)) { foreach my $login (@logins) { push (@new_flags, { type_id => $type_id, @@ -986,7 +986,7 @@ sub multi_extract_flags_from_cgi { } # Extract a list of flag type IDs from field names. - my @flagtype_ids = map(/^flag_type-(\d+)$/a ? $1 : (), $cgi->param()); + my @flagtype_ids = map { /^flag_type-(\d+)$/a ? $1 : () } $cgi->multi_param(); my (@new_flags, @flags); @@ -1027,7 +1027,7 @@ sub multi_extract_flags_from_cgi { my $status = $cgi->param("flag_type-$type_id"); trick_taint($status); - my @logins = $cgi->param("requestee_type-$type_id"); + my @logins = $cgi->multi_param("requestee_type-$type_id"); if ($status eq "?" && scalar(@logins)) { foreach my $login (@logins) { if ($update) { diff --git a/Bugzilla/Search/Quicksearch.pm b/Bugzilla/Search/Quicksearch.pm index 8e188161c..249748062 100644 --- a/Bugzilla/Search/Quicksearch.pm +++ b/Bugzilla/Search/Quicksearch.pm @@ -248,7 +248,7 @@ sub quicksearch { } # Make sure we have some query terms left - scalar($cgi->param())>0 || ThrowUserError("buglist_parameters_required"); + scalar $cgi->multi_param() or ThrowUserError("buglist_parameters_required"); } # List of quicksearch-specific CGI parameters to get rid of. diff --git a/Bugzilla/Search/Saved.pm b/Bugzilla/Search/Saved.pm index 9f6addffe..27a2e38ca 100644 --- a/Bugzilla/Search/Saved.pm +++ b/Bugzilla/Search/Saved.pm @@ -220,10 +220,10 @@ sub edit_link { my ($self) = @_; return $self->{edit_link} if defined $self->{edit_link}; my $cgi = new Bugzilla::CGI($self->url); - if (!$cgi->param('query_type') - || !IsValidQueryType($cgi->param('query_type'))) + if (!$cgi->param('query_format') + || !IsValidQueryType(scalar $cgi->param('query_format'))) { - $cgi->param('query_type', 'advanced'); + $cgi->param('query_format', 'advanced'); } $self->{edit_link} = $cgi->canonicalise_query; return $self->{edit_link}; diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 48899cd78..95a89b560 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -1013,6 +1013,10 @@ sub create { # If an sudo session is in progress, this is the user we're faking 'user' => sub { return Bugzilla->user; }, + # TT directives are evaluated in list context, conflicting + # with CGI checks about using $cgi->param() in list context. + 'cgi_param' => sub { return scalar Bugzilla->cgi->param($_[0]) }, + # Currenly active language 'current_language' => sub { return Bugzilla->current_language; }, diff --git a/Makefile.PL b/Makefile.PL index 062a94754..5742f8429 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -45,7 +45,7 @@ END { # PREREQ_PM my %requires = ( - 'CGI' => '3.51', + 'CGI' => '4.09', 'DBI' => '1.614', 'Date::Format' => '2.23', 'DateTime' => '0.75', diff --git a/attachment.cgi b/attachment.cgi index eab42903d..b74930306 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -330,8 +330,8 @@ sub view { # Bug 111522: allow overriding content-type manually in the posted form # params. - if (defined $cgi->param('content_type')) { - $contenttype = $attachment->_check_content_type($cgi->param('content_type')); + if (my $content_type = $cgi->param('content_type')) { + $contenttype = $attachment->_check_content_type($content_type); } # Return the appropriate HTTP response headers. @@ -503,13 +503,13 @@ sub insert { my ($timestamp) = $dbh->selectrow_array("SELECT NOW()"); # Detect if the user already used the same form to submit an attachment - my $token = trim($cgi->param('token')); + my $token = trim(scalar $cgi->param('token')); check_token_data($token, 'create_attachment', 'index.cgi'); # Check attachments the user tries to mark as obsolete. my @obsolete_attachments; if ($cgi->param('obsolete')) { - my @obsolete = $cgi->param('obsolete'); + my @obsolete = $cgi->multi_param('obsolete'); @obsolete_attachments = Bugzilla::Attachment->validate_obsolete($bug, \@obsolete); } @@ -784,7 +784,7 @@ sub delete_attachment { $attachment->datasize || ThrowUserError('attachment_removed'); # We don't want to let a malicious URL accidentally delete an attachment. - my $token = trim($cgi->param('token')); + my $token = trim(scalar $cgi->param('token')); if ($token) { my ($creator_id, $date, $event) = Bugzilla::Token::GetTokenData($token); unless ($creator_id diff --git a/buglist.cgi b/buglist.cgi index fc00641cd..941ec6ed4 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -123,7 +123,7 @@ if (my $last_list = $cgi->param('regetlastlist')) { # and order by, since relevance only exists when doing a fulltext search. my $fulltext = 0; if ($cgi->param('content')) { $fulltext = 1 } -my @charts = map(/^field(\d-\d-\d)$/ ? $1 : (), $cgi->param()); +my @charts = map { /^field(\d-\d-\d)$/ ? $1 : () } $cgi->multi_param(); foreach my $chart (@charts) { if ($cgi->param("field$chart") eq 'content' && $cgi->param("value$chart")) { $fulltext = 1; @@ -934,7 +934,7 @@ if (scalar(@products) == 1) { $one_product = Bugzilla::Product->new({ name => $products[0], cache => 1 }); } # This is used in the "Zarroo Boogs" case. -elsif (my @product_input = $cgi->param('product')) { +elsif (my @product_input = $cgi->multi_param('product')) { if (scalar(@product_input) == 1 and $product_input[0] ne '') { $one_product = Bugzilla::Product->new({ name => $product_input[0], cache => 1 }); } @@ -953,7 +953,7 @@ if (scalar(@components) == 1) { $vars->{one_component} = $components[0]; } # This is used in the "Zarroo Boogs" case. -elsif (my @component_input = $cgi->param('component')) { +elsif (my @component_input = $cgi->multi_param('component')) { if (scalar(@component_input) == 1 and $component_input[0] ne '') { $vars->{one_component}= $cgi->param('component'); } @@ -1122,7 +1122,6 @@ Bugzilla::Hook::process("buglist_format", {'vars' => $vars, $template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error()); - ################################################################################ # Script Conclusion ################################################################################ diff --git a/chart.cgi b/chart.cgi index 13c9fe4cc..b3a52245c 100755 --- a/chart.cgi +++ b/chart.cgi @@ -58,7 +58,7 @@ if (!Bugzilla->feature('new_charts')) { } # Go back to query.cgi if we are adding a boolean chart parameter. -if (grep(/^cmd-/, $cgi->param())) { +if (grep(/^cmd-/, $cgi->multi_param())) { my $params = $cgi->canonicalise_query("format", "ctype", "action"); print $cgi->redirect("query.cgi?format=" . $cgi->param('query_format') . ($params ? "&$params" : "")); @@ -73,7 +73,7 @@ $vars->{'doc_section'} = 'using/reports-and-charts.html#charts'; # of the action param, because that value is localization-dependent. So, we # encode it in the name, as "action-". Some params even contain the # series_id they apply to (e.g. subscribe, unsubscribe). -my @actions = grep(/^action-/, $cgi->param()); +my @actions = grep(/^action-/, $cgi->multi_param()); if ($actions[0] && $actions[0] =~ /^action-([^\d]+)(\d*)$/) { $action = $1; $series_id = $2 if $2; @@ -224,14 +224,14 @@ exit; # Find any selected series and return either the first or all of them. sub getAndValidateSeriesIDs { - my @series_ids = grep(/^\d+$/, $cgi->param("name")); + my @series_ids = grep(/^\d+$/, $cgi->multi_param("name")); return wantarray ? @series_ids : $series_ids[0]; } # Return a list of IDs of all the lines selected in the UI. sub getSelectedLines { - my @ids = map { /^select(\d+)$/a ? $1 : () } $cgi->param(); + my @ids = map { /^select(\d+)$/a ? $1 : () } $cgi->multi_param(); return @ids; } diff --git a/colchange.cgi b/colchange.cgi index e1e78f443..f2da452de 100755 --- a/colchange.cgi +++ b/colchange.cgi @@ -71,10 +71,10 @@ if (!$user->is_timetracker) { $vars->{'columns'} = $columns; my @collist; -if (defined $cgi->param('rememberedquery')) { +if (my $rememberedquery = $cgi->param('rememberedquery')) { my $search; - if (defined $cgi->param('saved_search')) { - $search = new Bugzilla::Search::Saved($cgi->param('saved_search')); + if (my $saved_search = $cgi->param('saved_search')) { + $search = new Bugzilla::Search::Saved($saved_search); } my $token = $cgi->param('token'); @@ -91,7 +91,7 @@ if (defined $cgi->param('rememberedquery')) { } else { if (defined $cgi->param("selected_columns")) { @collist = grep { exists $columns->{$_} } - $cgi->param("selected_columns"); + $cgi->multi_param("selected_columns"); } if (defined $cgi->param('splitheader')) { $splitheader = $cgi->param('splitheader')? 1: 0; @@ -131,7 +131,8 @@ if (defined $cgi->param('rememberedquery')) { $search->update(); } - my $params = new Bugzilla::CGI($cgi->param('rememberedquery')); + utf8::decode($rememberedquery); + my $params = new Bugzilla::CGI($rememberedquery); $params->param('columnlist', join(",", @collist)); $vars->{'redirect_url'} = "buglist.cgi?".$params->query_string(); diff --git a/config.cgi b/config.cgi index 3e3943989..32c55acf3 100755 --- a/config.cgi +++ b/config.cgi @@ -49,7 +49,7 @@ $vars->{'custom_fields'} = # Include a list of product objects. if ($cgi->param('product')) { - my @products = $cgi->param('product'); + my @products = $cgi->multi_param('product'); foreach my $product_name (@products) { # We don't use check() because config.cgi outputs mostly # in XML and JS and we don't want to display an HTML error diff --git a/duplicates.cgi b/duplicates.cgi index 0773400fd..da00d8748 100755 --- a/duplicates.cgi +++ b/duplicates.cgi @@ -127,7 +127,7 @@ if (!defined $reverse) { $reverse = 0; } } -my @query_products = $cgi->param('product'); +my @query_products = $cgi->multi_param('product'); my $sortvisible = formvalue("sortvisible"); my @bugs; if ($sortvisible) { diff --git a/editclassifications.cgi b/editclassifications.cgi index 765a34fcb..1ae6e553c 100755 --- a/editclassifications.cgi +++ b/editclassifications.cgi @@ -196,7 +196,7 @@ if ($action eq 'reclassify') { if (defined $cgi->param('add_products')) { check_token_data($token, 'reclassify_classifications'); if (defined $cgi->param('prodlist')) { - foreach my $prod ($cgi->param("prodlist")) { + foreach my $prod ($cgi->multi_param("prodlist")) { trick_taint($prod); $sth->execute($classification->id, $prod); push @names, $prod; @@ -206,7 +206,7 @@ if ($action eq 'reclassify') { } elsif (defined $cgi->param('remove_products')) { check_token_data($token, 'reclassify_classifications'); if (defined $cgi->param('myprodlist')) { - foreach my $prod ($cgi->param("myprodlist")) { + foreach my $prod ($cgi->multi_param('myprodlist')) { trick_taint($prod); $sth->execute(1, $prod); push @names, $prod; diff --git a/editcomponents.cgi b/editcomponents.cgi index 99bd3bb35..ecbbd788f 100755 --- a/editcomponents.cgi +++ b/editcomponents.cgi @@ -113,7 +113,7 @@ if ($action eq 'new') { my $default_assignee = trim($cgi->param('initialowner') || ''); my $default_qa_contact = trim($cgi->param('initialqacontact') || ''); my $description = trim($cgi->param('description') || ''); - my @initial_cc = $cgi->param('initialcc'); + my @initial_cc = $cgi->multi_param('initialcc'); my $isactive = $cgi->param('isactive'); my $component = Bugzilla::Component->create({ @@ -216,7 +216,7 @@ if ($action eq 'update') { my $default_assignee = trim($cgi->param('initialowner') || ''); my $default_qa_contact = trim($cgi->param('initialqacontact') || ''); my $description = trim($cgi->param('description') || ''); - my @initial_cc = $cgi->param('initialcc'); + my @initial_cc = $cgi->multi_param('initialcc'); my $isactive = $cgi->param('isactive'); my $component = diff --git a/editfields.cgi b/editfields.cgi index 88961a4e4..acb34e2df 100755 --- a/editfields.cgi +++ b/editfields.cgi @@ -61,7 +61,7 @@ elsif ($action eq 'new') { custom => 1, buglist => 1, visibility_field_id => scalar $cgi->param('visibility_field_id'), - visibility_values => [ $cgi->param('visibility_values') ], + visibility_values => [ $cgi->multi_param('visibility_values') ], value_field_id => scalar $cgi->param('value_field_id'), reverse_desc => scalar $cgi->param('reverse_desc'), is_mandatory => scalar $cgi->param('is_mandatory'), @@ -102,17 +102,17 @@ elsif ($action eq 'update') { my $field = new Bugzilla::Field({'name' => $name}); $field || ThrowUserError('customfield_nonexistent', {'name' => $name}); - $field->set_description($cgi->param('desc')); - $field->set_long_desc($cgi->param('long_desc')); - $field->set_sortkey($cgi->param('sortkey')); - $field->set_in_new_bugmail($cgi->param('new_bugmail')); - $field->set_enter_bug($cgi->param('enter_bug')); - $field->set_obsolete($cgi->param('obsolete')); - $field->set_is_mandatory($cgi->param('is_mandatory')); - $field->set_visibility_field($cgi->param('visibility_field_id')); - $field->set_visibility_values([ $cgi->param('visibility_values') ]); - $field->set_value_field($cgi->param('value_field_id')); - $field->set_reverse_desc($cgi->param('reverse_desc')); + $field->set_description(scalar $cgi->param('desc')); + $field->set_long_desc(scalar $cgi->param('long_desc')); + $field->set_sortkey(scalar $cgi->param('sortkey')); + $field->set_in_new_bugmail(scalar $cgi->param('new_bugmail')); + $field->set_enter_bug(scalar $cgi->param('enter_bug')); + $field->set_obsolete(scalar $cgi->param('obsolete')); + $field->set_is_mandatory(scalar $cgi->param('is_mandatory')); + $field->set_visibility_field(scalar $cgi->param('visibility_field_id')); + $field->set_visibility_values([ $cgi->multi_param('visibility_values') ]); + $field->set_value_field(scalar $cgi->param('value_field_id')); + $field->set_reverse_desc(scalar $cgi->param('reverse_desc')); $field->update(); delete_token($token); diff --git a/editflagtypes.cgi b/editflagtypes.cgi index a319742d3..ba2d4891b 100755 --- a/editflagtypes.cgi +++ b/editflagtypes.cgi @@ -62,11 +62,11 @@ if ($comp_name) { } # If 'categoryAction' is set, it has priority over 'action'. -if (my ($category_action) = grep { $_ =~ /^categoryAction-(?:\w+)$/ } $cgi->param()) { +if (my ($category_action) = grep { $_ =~ /^categoryAction-(?:\w+)$/ } $cgi->multi_param()) { $category_action =~ s/^categoryAction-//; - my @inclusions = $cgi->param('inclusions'); - my @exclusions = $cgi->param('exclusions'); + my @inclusions = $cgi->multi_param('inclusions'); + my @exclusions = $cgi->multi_param('exclusions'); my @categories; if ($category_action =~ /^(in|ex)clude$/) { if (!$user->in_group('editcomponents') && !$product) { @@ -93,13 +93,13 @@ if (my ($category_action) = grep { $_ =~ /^categoryAction-(?:\w+)$/ } $cgi->para } } elsif ($category_action eq 'removeInclusion') { - my @inclusion_to_remove = $cgi->param('inclusion_to_remove'); + my @inclusion_to_remove = $cgi->multi_param('inclusion_to_remove'); foreach my $remove (@inclusion_to_remove) { @inclusions = grep { $_ ne $remove } @inclusions; } } elsif ($category_action eq 'removeExclusion') { - my @exclusion_to_remove = $cgi->param('exclusion_to_remove'); + my @exclusion_to_remove = $cgi->multi_param('exclusion_to_remove'); foreach my $remove (@exclusion_to_remove) { @exclusions = grep { $_ ne $remove } @exclusions; } @@ -265,8 +265,8 @@ if ($action eq 'insert') { my $is_multiplicable = $cgi->param('is_multiplicable'); my $grant_group = $cgi->param('grant_group'); my $request_group = $cgi->param('request_group'); - my @inclusions = $cgi->param('inclusions'); - my @exclusions = $cgi->param('exclusions'); + my @inclusions = $cgi->multi_param('inclusions'); + my @exclusions = $cgi->multi_param('exclusions'); # Filter inclusion and exclusion lists to products the user can see. unless ($user->in_group('editcomponents')) { @@ -317,8 +317,8 @@ if ($action eq 'update') { my $is_multiplicable = $cgi->param('is_multiplicable'); my $grant_group = $cgi->param('grant_group'); my $request_group = $cgi->param('request_group'); - my @inclusions = $cgi->param('inclusions'); - my @exclusions = $cgi->param('exclusions'); + my @inclusions = $cgi->multi_param('inclusions'); + my @exclusions = $cgi->multi_param('exclusions'); my ($flagtype, $can_fully_edit) = $user->check_can_admin_flagtype($flag_id); if ($cgi->param('check_clusions') && !$user->in_group('editcomponents')) { diff --git a/editgroups.cgi b/editgroups.cgi index ac0e6a8bd..49bebb04b 100755 --- a/editgroups.cgi +++ b/editgroups.cgi @@ -149,7 +149,7 @@ unless ($action) { if ($action eq 'changeform') { # Check that an existing group ID is given - my $group_id = CheckGroupID($cgi->param('group')); + my $group_id = CheckGroupID(scalar $cgi->param('group')); my $group = new Bugzilla::Group($group_id); get_current_and_available($group, $vars); @@ -262,7 +262,7 @@ if ($action eq 'postchanges') { my $changes = doGroupChanges(); delete_token($token); - my $group = new Bugzilla::Group($cgi->param('group_id')); + my $group = new Bugzilla::Group(scalar $cgi->param('group_id')); get_current_and_available($group, $vars); $vars->{'message'} = 'group_updated'; $vars->{'group'} = $group; @@ -275,9 +275,9 @@ if ($action eq 'postchanges') { } if ($action eq 'confirm_remove') { - my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id'))); + my $group = new Bugzilla::Group(CheckGroupID(scalar $cgi->param('group_id'))); $vars->{'group'} = $group; - $vars->{'regexp'} = CheckGroupRegexp($cgi->param('regexp')); + $vars->{'regexp'} = CheckGroupRegexp(scalar $cgi->param('regexp')); $vars->{'token'} = issue_session_token('remove_group_members'); $template->process('admin/groups/confirm-remove.html.tmpl', $vars) @@ -291,8 +291,8 @@ if ($action eq 'remove_regexp') { # gid = $cgi->param('group') that match the regular expression # stored in the DB for that group or all of them period - my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id'))); - my $regexp = CheckGroupRegexp($cgi->param('regexp')); + my $group = new Bugzilla::Group(CheckGroupID(scalar $cgi->param('group_id'))); + my $regexp = CheckGroupRegexp(scalar $cgi->param('regexp')); $dbh->bz_start_transaction(); @@ -334,27 +334,27 @@ sub doGroupChanges { $dbh->bz_start_transaction(); # Check that the given group ID is valid and make a Group. - my $group = new Bugzilla::Group(CheckGroupID($cgi->param('group_id'))); + my $group = new Bugzilla::Group(CheckGroupID(scalar $cgi->param('group_id'))); if (defined $cgi->param('regexp')) { - $group->set_user_regexp($cgi->param('regexp')); + $group->set_user_regexp(scalar $cgi->param('regexp')); } if ($group->is_bug_group) { if (defined $cgi->param('name')) { - $group->set_name($cgi->param('name')); + $group->set_name(scalar $cgi->param('name')); } if (defined $cgi->param('desc')) { - $group->set_description($cgi->param('desc')); + $group->set_description(scalar $cgi->param('desc')); } # Only set isactive if we came from the right form. if (defined $cgi->param('regexp')) { - $group->set_is_active($cgi->param('isactive')); + $group->set_is_active(scalar $cgi->param('isactive')); } } if (defined $cgi->param('icon_url')) { - $group->set_icon_url($cgi->param('icon_url')); + $group->set_icon_url(scalar $cgi->param('icon_url')); } my $changes = $group->update(); @@ -403,7 +403,7 @@ sub _do_add { $current = $group->grant_direct($type); } - my $add_items = Bugzilla::Group->new_from_list([$cgi->param($field)]); + my $add_items = Bugzilla::Group->new_from_list([$cgi->multi_param($field)]); foreach my $add (@$add_items) { next if grep($_->id == $add->id, @$current); @@ -423,7 +423,7 @@ sub _do_add { sub _do_remove { my ($group, $changes, $sth_delete, $field, $type, $reverse) = @_; my $cgi = Bugzilla->cgi; - my $remove_items = Bugzilla::Group->new_from_list([$cgi->param($field)]); + my $remove_items = Bugzilla::Group->new_from_list([$cgi->multi_param($field)]); foreach my $remove (@$remove_items) { my @ids = ($remove->id, $group->id); diff --git a/editproducts.cgi b/editproducts.cgi index 5f7434772..942e2073c 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -178,7 +178,7 @@ if ($action eq 'new') { $dbh->bz_start_transaction(); my $product = Bugzilla::Product->create(\%product_create_params); - my @initial_cc = $cgi->param('initialcc'); + my @initial_cc = $cgi->multi_param('initialcc'); my %component_create_params = ( product => $product, name => trim($cgi->param('component') || ''), @@ -342,7 +342,7 @@ if ($action eq 'updategroupcontrols') { my @now_na = (); my @now_mandatory = (); - foreach my $f ($cgi->param()) { + foreach my $f ($cgi->multi_param()) { if ($f =~ /^membercontrol_(\d+)$/a) { my $id = $1; if ($cgi->param($f) == CONTROLMAPNA) { diff --git a/editusers.cgi b/editusers.cgi index 341176871..9d89d2efa 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -67,7 +67,7 @@ if ($action eq 'search') { ########################################################################### } elsif ($action eq 'list') { my $matchvalue = $cgi->param('matchvalue') || ''; - my $matchstr = trim($cgi->param('matchstr')); + my $matchstr = trim(scalar $cgi->param('matchstr')); my $matchtype = $cgi->param('matchtype'); my $grouprestrict = $cgi->param('grouprestrict') || '0'; # 0 = disabled only, 1 = enabled only, 2 = everyone @@ -268,14 +268,14 @@ if ($action eq 'search') { # is not authorized. my $changes = {}; if ($editusers) { - $otherUser->set_login($cgi->param('login')); - $otherUser->set_name($cgi->param('name')); - $otherUser->set_password($cgi->param('password')) + $otherUser->set_login(scalar $cgi->param('login')); + $otherUser->set_name(scalar $cgi->param('name')); + $otherUser->set_password(scalar $cgi->param('password')) if $cgi->param('password'); - $otherUser->set_disabledtext($cgi->param('disabledtext')); - $otherUser->set_disable_mail($cgi->param('disable_mail')); - $otherUser->set_extern_id($cgi->param('extern_id')) - if defined($cgi->param('extern_id')); + $otherUser->set_disabledtext(scalar $cgi->param('disabledtext')); + $otherUser->set_disable_mail(scalar $cgi->param('disable_mail')); + $otherUser->set_extern_id(scalar $cgi->param('extern_id')) + if defined $cgi->param('extern_id'); # Update bless groups my @bless_ids = grep { s/bless_// } keys %{ Bugzilla->cgi->Vars }; diff --git a/editvalues.cgi b/editvalues.cgi index 4be8cfd44..2b276df4b 100755 --- a/editvalues.cgi +++ b/editvalues.cgi @@ -76,7 +76,7 @@ if (!$cgi->param('field')) { } # At this point, the field must be defined. -my $field = Bugzilla::Field->check($cgi->param('field')); +my $field = Bugzilla::Field->check(scalar $cgi->param('field')); if (!$field->is_select || $field->is_abnormal) { ThrowUserError('fieldname_invalid', { field => $field }); } @@ -119,7 +119,7 @@ if ($action eq 'new') { } # After this, we always have a value -my $value = Bugzilla::Field::Choice->type($field)->check($cgi->param('value')); +my $value = Bugzilla::Field::Choice->type($field)->check(scalar $cgi->param('value')); $vars->{'value'} = $value; # diff --git a/editwhines.cgi b/editwhines.cgi index 6597db893..d545845b1 100755 --- a/editwhines.cgi +++ b/editwhines.cgi @@ -125,8 +125,8 @@ if ($cgi->param('update')) { } else { # check the subject, body and mailifnobugs for changes - my $subject = ($cgi->param("event_${eventid}_subject") or ''); - my $body = ($cgi->param("event_${eventid}_body") or ''); + my $subject = $cgi->param("event_${eventid}_subject") // ''; + my $body = $cgi->param("event_${eventid}_body") // ''; my $mailifnobugs = $cgi->param("event_${eventid}_mailifnobugs") ? 1 : 0; trick_taint($subject) if $subject; diff --git a/enter_bug.cgi b/enter_bug.cgi index d6cc90764..4f0992df7 100755 --- a/enter_bug.cgi +++ b/enter_bug.cgi @@ -186,7 +186,7 @@ foreach my $field (@enter_bug_fields) { my $cf_value = $cgi->param($cf_name); if (defined $cf_value) { if ($field->type == FIELD_TYPE_MULTI_SELECT) { - $cf_value = [$cgi->param($cf_name)]; + $cf_value = [$cgi->multi_param($cf_name)]; } $default{$cf_name} = $vars->{$cf_name} = $cf_value; } @@ -270,7 +270,7 @@ else { $vars->{'estimated_time'} = formvalue('estimated_time'); $vars->{'see_also'} = formvalue('see_also'); - $vars->{'cc'} = join(', ', $cgi->param('cc')); + $vars->{'cc'} = join(', ', $cgi->multi_param('cc')); $vars->{'comment'} = formvalue('comment'); $vars->{'comment_is_private'} = formvalue('comment_is_private'); @@ -341,7 +341,7 @@ if ($picked_status and grep($_->name eq $picked_status, @statuses)) { $default{'bug_status'} = Bugzilla::Bug->default_bug_status(@statuses); } -my @groups = $cgi->param('groups'); +my @groups = $cgi->multi_param('groups'); if ($cloned_bug) { my @clone_groups = map { $_->name } @{ $cloned_bug->groups_in }; # It doesn't matter if there are duplicate names, since all we check diff --git a/post_bug.cgi b/post_bug.cgi index 17d0fe4ea..712d765d8 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -44,7 +44,7 @@ unless ($cgi->param()) { } # Detect if the user already used the same form to submit a bug -my $token = trim($cgi->param('token')); +my $token = trim(scalar $cgi->param('token')); check_token_data($token, 'create_bug', 'index.cgi'); # do a match on the fields if applicable @@ -112,7 +112,7 @@ foreach my $field (@bug_fields) { } foreach my $field (qw(cc groups)) { next if !$cgi->should_set($field); - $bug_params{$field} = [$cgi->param($field)]; + $bug_params{$field} = [$cgi->multi_param($field)]; } $bug_params{'comment'} = $comment; $bug_params{'is_markdown'} = $cgi->param('use_markdown'); @@ -122,7 +122,7 @@ my @multi_selects = grep {$_->type == FIELD_TYPE_MULTI_SELECT && $_->enter_bug} foreach my $field (@multi_selects) { next if !$cgi->should_set($field->name); - $bug_params{$field->name} = [$cgi->param($field->name)]; + $bug_params{$field->name} = [$cgi->multi_param($field->name)]; } @@ -165,7 +165,7 @@ my $data_fh = $cgi->upload('data'); my $attach_text = $cgi->param('attach_text'); if ($data_fh || $attach_text) { - $cgi->param('isprivate', $cgi->param('comment_is_private')); + $cgi->param('isprivate', scalar $cgi->param('comment_is_private')); # Must be called before create() as it may alter $cgi->param('ispatch'). my $content_type = Bugzilla::Attachment::get_content_type(); diff --git a/process_bug.cgi b/process_bug.cgi index ea803d1f7..2b34d1b80 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -63,7 +63,7 @@ if (defined $cgi->param('id')) { $cgi->param('id', $bug->id); push(@bug_objects, $bug); } else { - foreach my $i ($cgi->param()) { + foreach my $i ($cgi->multi_param()) { if ($i =~ /^id_([1-9][0-9]*)/) { my $id = $1; push(@bug_objects, Bugzilla::Bug->check_for_edit($id)); @@ -78,7 +78,7 @@ my $first_bug = $bug_objects[0]; # Used when we're only updating a single bug. # Delete any parameter set to 'dontchange'. if (defined $cgi->param('dontchange')) { - foreach my $name ($cgi->param) { + foreach my $name ($cgi->multi_param()) { next if $name eq 'dontchange'; # But don't delete dontchange itself! # Skip ones we've already deleted (such as "defined_$name"). next if !defined $cgi->param($name); @@ -247,7 +247,7 @@ if (should_set('see_also')) { [split(/[\s]+/, $cgi->param('see_also'))]; } if (should_set('remove_see_also')) { - $set_all_fields{'see_also'}->{remove} = [$cgi->param('remove_see_also')]; + $set_all_fields{'see_also'}->{remove} = [$cgi->multi_param('remove_see_also')]; } foreach my $dep_field (qw(dependson blocked)) { if (should_set($dep_field)) { @@ -271,18 +271,18 @@ if (defined $cgi->param('newcc') # remove cc's... otherwise, we came from show_bug and may need to do both. if (defined $cgi->param('masscc')) { if ($cgi->param('ccaction') eq 'add') { - @cc_add = $cgi->param('masscc'); + @cc_add = $cgi->multi_param('masscc'); } elsif ($cgi->param('ccaction') eq 'remove') { - @cc_remove = $cgi->param('masscc'); + @cc_remove = $cgi->multi_param('masscc'); } } else { - @cc_add = $cgi->param('newcc'); + @cc_add = $cgi->multi_param('newcc'); push(@cc_add, $user) if $cgi->param('addselfcc'); # We came from show_bug which uses a select box to determine what cc's # need to be removed... if ($cgi->param('removecc') && $cgi->param('cc')) { - @cc_remove = $cgi->param('cc'); + @cc_remove = $cgi->multi_param('cc'); } } @@ -300,7 +300,7 @@ if (defined $cgi->param('id')) { # aliases need to be removed... my @alias_remove = (); if ($cgi->param('removealias') && $cgi->param('alias')) { - @alias_remove = $cgi->param('alias'); + @alias_remove = $cgi->multi_param('alias'); } $set_all_fields{alias} = { add => \@alias_add, remove => \@alias_remove }; @@ -308,7 +308,7 @@ if (defined $cgi->param('id')) { } my %is_private; -foreach my $field (grep(/^defined_isprivate/, $cgi->param())) { +foreach my $field (grep(/^defined_isprivate/, $cgi->multi_param())) { if ($field =~ /(\d+)$/a) { my $comment_id = $1; $is_private{$comment_id} = $cgi->param("isprivate_$comment_id"); @@ -316,8 +316,8 @@ foreach my $field (grep(/^defined_isprivate/, $cgi->param())) { } $set_all_fields{comment_is_private} = \%is_private; -my @check_groups = $cgi->param('defined_groups'); -my @set_groups = $cgi->param('groups'); +my @check_groups = $cgi->multi_param('defined_groups'); +my @set_groups = $cgi->multi_param('groups'); my ($removed_groups) = diff_arrays(\@check_groups, \@set_groups); $set_all_fields{groups} = { add => \@set_groups, remove => $removed_groups }; @@ -325,7 +325,7 @@ my @custom_fields = Bugzilla->active_custom_fields; foreach my $field (@custom_fields) { my $fname = $field->name; if (should_set($fname, 1)) { - $set_all_fields{$fname} = [$cgi->param($fname)]; + $set_all_fields{$fname} = [$cgi->multi_param($fname)]; } } diff --git a/query.cgi b/query.cgi index 4fa52f5c8..88277bf35 100755 --- a/query.cgi +++ b/query.cgi @@ -114,7 +114,7 @@ sub PrefillForm { # search or from an old link on the web somewhere) then convert them # to the new "custom search" format so that the form is populated # properly. - my $any_boolean_charts = grep { /^field-?\d+/ } $buf->param(); + my $any_boolean_charts = grep { /^field-?\d+/ } $buf->multi_param(); if ($any_boolean_charts) { my $search = new Bugzilla::Search(params => scalar $buf->Vars); $search->boolean_charts_to_custom_search($buf); @@ -124,10 +124,10 @@ sub PrefillForm { my @skip = qw(format query_format list_id columnlist); # Iterate over the URL parameters - foreach my $name ($buf->param()) { + foreach my $name ($buf->multi_param()) { next if grep { $_ eq $name } @skip; $foundone = 1; - my @values = $buf->param($name); + my @values = $buf->multi_param($name); # If the name is a single letter followed by numbers, it's part # of Custom Search. We store these as an array of hashes. diff --git a/relogin.cgi b/relogin.cgi index 65c29a2c4..798bba00d 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -101,8 +101,9 @@ elsif ($action eq 'begin-sudo') { # Did the user actually go trough the 'sudo-prepare' action? Do some # checks on the token the action should have left. + my $token = $cgi->param('token'); my ($token_user, $token_timestamp, $token_data) = - Bugzilla::Token::GetTokenData($cgi->param('token')); + Bugzilla::Token::GetTokenData($token); unless (defined($token_user) && defined($token_data) && ($token_user == $user->id) @@ -111,13 +112,13 @@ elsif ($action eq 'begin-sudo') { ThrowUserError('sudo_preparation_required', { target_login => $target_login, reason => $reason }); } - delete_token($cgi->param('token')); + delete_token($token); # Calculate the session expiry time (T + 6 hours) my $time_string = time2str('%a, %d-%b-%Y %T %Z', time + MAX_SUDO_TOKEN_AGE, 'GMT'); # For future sessions, store the unique ID of the target user - my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id); + $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id); my %args; if (Bugzilla->params->{ssl_redirect}) { diff --git a/report.cgi b/report.cgi index 2f637fca4..5c57246f7 100755 --- a/report.cgi +++ b/report.cgi @@ -28,7 +28,7 @@ my $template = Bugzilla->template; my $vars = {}; # Go straight back to query.cgi if we are adding a boolean chart. -if (grep(/^cmd-/, $cgi->param())) { +if (grep(/^cmd-/, $cgi->multi_param())) { my $params = $cgi->canonicalise_query("format", "ctype"); my $location = "query.cgi?format=" . $cgi->param('query_format') . ($params ? "&$params" : ""); @@ -53,7 +53,7 @@ elsif ($action eq 'add') { my $user = Bugzilla->login(LOGIN_REQUIRED); check_hash_token($token, ['save_report']); - my $name = clean_text($cgi->param('name')); + my $name = clean_text(scalar $cgi->param('name')); my $query = $cgi->param('query'); if (my ($report) = grep{ lc($_->name) eq lc($name) } @{$user->reports}) { @@ -444,5 +444,5 @@ sub get_field_restrictions { my $field = shift; my $cgi = Bugzilla->cgi; - return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field)); + return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->multi_param($field)); } diff --git a/reports.cgi b/reports.cgi index 06890b38d..e40c22384 100755 --- a/reports.cgi +++ b/reports.cgi @@ -83,7 +83,7 @@ else { } # Make sure there is something to plot. - my @datasets = $cgi->param('datasets'); + my @datasets = $cgi->multi_param('datasets'); scalar(@datasets) || ThrowUserError('missing_datasets'); if (grep { $_ !~ /^[A-Za-z0-9:_-]+$/ } @datasets) { diff --git a/request.cgi b/request.cgi index 95e4fd1fd..54b568a84 100755 --- a/request.cgi +++ b/request.cgi @@ -84,8 +84,8 @@ sub queue { my $userid = $user->id; my $vars = {}; - my $status = validateStatus($cgi->param('status')); - my $form_group = validateGroup($cgi->param('group')); + my $status = validateStatus(scalar $cgi->param('status')); + my $form_group = validateGroup(scalar $cgi->param('group')); my $query = # Select columns describing each flag, the bug/attachment on which @@ -167,15 +167,15 @@ sub queue { my $do_union = $cgi->param('do_union'); # Filter results by exact email address of requester or requestee. - if (defined $cgi->param('requester') && $cgi->param('requester') ne "") { - my $requester = $dbh->quote($cgi->param('requester')); + if (my $requester = $cgi->param('requester')) { + $requester = $dbh->quote($requester); trick_taint($requester); # Quoted above push(@criteria, $dbh->sql_istrcmp('requesters.login_name', $requester)); push(@excluded_columns, 'requester') unless $do_union; } - if (defined $cgi->param('requestee') && $cgi->param('requestee') ne "") { - if ($cgi->param('requestee') ne "-") { - my $requestee = $dbh->quote($cgi->param('requestee')); + if (my $requestee = $cgi->param('requestee')) { + if ($requestee ne '-') { + $requestee = $dbh->quote($requestee); trick_taint($requestee); # Quoted above push(@criteria, $dbh->sql_istrcmp('requestees.login_name', $requestee)); } diff --git a/sanitycheck.cgi b/sanitycheck.cgi index bb131a65a..85f73bc6d 100755 --- a/sanitycheck.cgi +++ b/sanitycheck.cgi @@ -69,7 +69,7 @@ else { # web browser and a parameter is passed to the script. # XXX - Maybe these two parameters should be deleted once logged in? $cgi->delete('GoAheadAndLogIn', 'Bugzilla_restrictlogin'); - if (scalar($cgi->param())) { + if (scalar $cgi->multi_param()) { my $token = $cgi->param('token'); check_hash_token($token, ['sanitycheck']); } diff --git a/show_bug.cgi b/show_bug.cgi index 09cb91a86..41aa00682 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -61,7 +61,7 @@ if ($single) { } } } else { - foreach my $id ($cgi->param('id')) { + foreach my $id ($cgi->multi_param('id')) { # Be kind enough and accept URLs of the form: id=1,2,3. my @ids = split(/,/, $id); my @check_bugs; @@ -108,7 +108,7 @@ my @fieldlist = (Bugzilla::Bug->fields, 'flag', 'group', 'long_desc', my %displayfields; if ($cgi->param("field")) { - @fieldlist = $cgi->param("field"); + @fieldlist = $cgi->multi_param("field"); } unless ($user->is_timetracker) { @@ -119,8 +119,8 @@ foreach (@fieldlist) { $displayfields{$_} = 1; } -foreach ($cgi->param("excludefield")) { - $displayfields{$_} = undef; +foreach ($cgi->multi_param("excludefield")) { + $displayfields{$_} = undef; } $vars->{'displayfields'} = \%displayfields; diff --git a/summarize_time.cgi b/summarize_time.cgi index 193899f0d..dd1e9e08e 100755 --- a/summarize_time.cgi +++ b/summarize_time.cgi @@ -264,7 +264,7 @@ my $detailed = $cgi->param('detailed'); my $do_report = $cgi->param('do_report'); my $inactive = $cgi->param('inactive'); my $do_depends = $cgi->param('do_depends'); -my $ctype = scalar($cgi->param("ctype")); +my $ctype = $cgi->param('ctype'); my ($start_date, $end_date); if ($do_report) { @@ -280,8 +280,8 @@ if ($do_report) { @bugs = @{ $user->visible_bugs(\@bugs) }; } - $start_date = trim $cgi->param('start_date'); - $end_date = trim $cgi->param('end_date'); + $start_date = trim(scalar $cgi->param('start_date')); + $end_date = trim(scalar $cgi->param('end_date')); foreach my $date ($start_date, $end_date) { next unless $date; diff --git a/t/004template.t b/t/004template.t index e6c241cc0..5296564ae 100644 --- a/t/004template.t +++ b/t/004template.t @@ -22,7 +22,7 @@ use CGI qw(-no_debug); use File::Spec; use Template; -use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files ); +use Test::More tests => ( scalar(@referenced_files) + 3 * $num_actual_files ); # Capture the TESTOUT from Test::More or Test::Builder for printing errors. # This will handle verbosity for us automatically. @@ -117,6 +117,14 @@ foreach my $include_path (@include_paths) { else { ok(1, "$path contains no blacklisted constructs"); } + + # Forbid cgi.param(). cgi_param() must be used instead. + if ($data =~ /cgi\.param/) { + ok(0, "$path calls cgi.param() instead of cgi_param()"); + } + else { + ok(1, "$path correctly calls CGI parameters"); + } } } diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index 05d177d09..afa77df7f 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -25,7 +25,7 @@
+ method="POST" [% IF cgi_param("data") %] enctype="multipart/form-data"[% END %]> [%# Accept URL parameter build ID for non-browser products %] - [% IF cgi.param("buildid") %] - [% buildid = cgi.param("buildid") %] + [% IF cgi_param("buildid") %] + [% buildid = cgi_param("buildid") %] [% END %] diff --git a/template/en/default/bug/process/header.html.tmpl b/template/en/default/bug/process/header.html.tmpl index 55de0c324..b95e1dcd3 100644 --- a/template/en/default/bug/process/header.html.tmpl +++ b/template/en/default/bug/process/header.html.tmpl @@ -10,13 +10,11 @@ # As global/header.html.tmpl. #%] -[% USE Bugzilla %] - [% PROCESS "bug/show-header.html.tmpl" %] -[% IF title_tag == "bug_processed" %] +[% IF title_tag == "bug_processed" %] [% title = BLOCK %] - [% IF Bugzilla.cgi.param('id') %] + [% IF cgi_param('id') %] [%+ id FILTER html %] [% ELSE %] [% terms.Bugs %] diff --git a/template/en/default/bug/process/midair.html.tmpl b/template/en/default/bug/process/midair.html.tmpl index f89590df2..ca7e095c1 100644 --- a/template/en/default/bug/process/midair.html.tmpl +++ b/template/en/default/bug/process/midair.html.tmpl @@ -15,10 +15,6 @@ # bug: Bugzilla::Bug; the bug being changed. #%] -[%# The global Bugzilla->cgi object is used to obtain form variable values. %] -[% USE Bugzilla %] -[% cgi = Bugzilla.cgi %] - [% UNLESS header_done %] [% PROCESS bug/process/header.html.tmpl %] [% END %] @@ -45,11 +41,11 @@

[% END %] -[% IF cgi.param("comment") %] +[% IF cgi_param("comment") %]

Your comment was:

-    [% cgi.param("comment") FILTER html %]
+    [% cgi_param("comment") FILTER html %]
   

[% END %] @@ -70,16 +66,16 @@ You have the following choices: [% ", except for the added comment(s)" IF comments.size %]. - [% IF cgi.param("comment") %] + [% IF cgi_param("comment") %]
  • - + - - + + - + value="[% cgi_param("comment_is_private") FILTER html %]"> +
  • diff --git a/template/en/default/bug/process/verify-new-product.html.tmpl b/template/en/default/bug/process/verify-new-product.html.tmpl index c562bf54d..837a9836f 100644 --- a/template/en/default/bug/process/verify-new-product.html.tmpl +++ b/template/en/default/bug/process/verify-new-product.html.tmpl @@ -17,6 +17,9 @@ # verify_bug_groups: If groups need to be confirmed in addition to fields. #%] +[% USE Bugzilla %] +[% cgi = Bugzilla.cgi %] + [% PROCESS global/header.html.tmpl title = 'Verify New Product Details...' style_urls = ['skins/standard/buglist.css'] @@ -165,14 +168,14 @@
    diff --git a/template/en/default/attachment/midair.html.tmpl b/template/en/default/attachment/midair.html.tmpl index 68db5d974..4dd44ef4d 100644 --- a/template/en/default/attachment/midair.html.tmpl +++ b/template/en/default/attachment/midair.html.tmpl @@ -14,10 +14,6 @@ # attachment: object; the attachment being changed. #%] -[%# The global Bugzilla->cgi object is used to obtain form variable values. %] -[% USE Bugzilla %] -[% cgi = Bugzilla.cgi %] - [% PROCESS global/header.html.tmpl title = "Mid-air collision!" %]

    Mid-air collision detected!

    @@ -33,11 +29,11 @@ [% PROCESS "bug/activity/table.html.tmpl" incomplete_data=0 %]

    -[% IF cgi.param("comment") %] +[% IF cgi_param("comment") %]

    Your comment was:

    -    [% cgi.param("comment") FILTER html %]
    +    [% cgi_param("comment") FILTER html %]
       

    [% END %] diff --git a/template/en/default/bug/create/comment-guided.txt.tmpl b/template/en/default/bug/create/comment-guided.txt.tmpl index e85a36469..0a7b5223a 100644 --- a/template/en/default/bug/create/comment-guided.txt.tmpl +++ b/template/en/default/bug/create/comment-guided.txt.tmpl @@ -8,27 +8,27 @@ [% USE Bugzilla %] [% cgi = Bugzilla.cgi %] User-Agent: [%+ cgi.user_agent() %] -Build Identifier: [%+ cgi.param("buildid") %] +Build Identifier: [%+ cgi_param("buildid") %] -[%+ cgi.param("comment") IF cgi.param("comment") %] +[%+ cgi_param("comment") IF cgi_param("comment") %] -[%+ IF cgi.param("reproducible") != "Choose one..." -%] -Reproducible: [%+ cgi.param("reproducible") %] +[%+ IF cgi_param("reproducible") != "Choose one..." -%] +Reproducible: [%+ cgi_param("reproducible") %] [% END %] -[% IF !(cgi.param("reproduce_steps").match('^1\.\s*2\.\s*3\.\s*$') || cgi.param("reproduce_steps").match('^\s*$')) %] +[% IF !(cgi_param("reproduce_steps").match('^1\.\s*2\.\s*3\.\s*$') || cgi_param("reproduce_steps").match('^\s*$')) %] Steps to Reproduce: -[%+ cgi.param("reproduce_steps") %] +[%+ cgi_param("reproduce_steps") %] [% END %] -[% IF cgi.param("actual_results") -%] +[% IF cgi_param("actual_results") -%] Actual Results: -[%+ cgi.param("actual_results") %] +[%+ cgi_param("actual_results") %] [% END %] -[% IF cgi.param("expected_results") %] +[% IF cgi_param("expected_results") %] Expected Results: -[%+ cgi.param("expected_results") %] +[%+ cgi_param("expected_results") %] [% END %] -[%+ cgi.param("additional_info") %] +[%+ cgi_param("additional_info") %] diff --git a/template/en/default/bug/create/comment.txt.tmpl b/template/en/default/bug/create/comment.txt.tmpl index 4cd78ddd1..8eb6bfaf0 100644 --- a/template/en/default/bug/create/comment.txt.tmpl +++ b/template/en/default/bug/create/comment.txt.tmpl @@ -5,8 +5,7 @@ # This Source Code Form is "Incompatible With Secondary Licenses", as # defined by the Mozilla Public License, v. 2.0. #%] -[% USE Bugzilla %] -[% Hook.process("form") %] +[% Hook.process("form") %] -[% Bugzilla.cgi.param("comment") %] +[% cgi_param("comment") %] diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl index 1adae4588..0169d9e6b 100644 --- a/template/en/default/bug/create/create-guided.html.tmpl +++ b/template/en/default/bug/create/create-guided.html.tmpl @@ -10,9 +10,6 @@ # This template has the same interface as create.html.tmpl #%] -[% USE Bugzilla %] -[% cgi = Bugzilla.cgi %] - [% PROCESS global/header.html.tmpl title = "Enter $terms.ABug" onload = "PutDescription()" @@ -165,8 +162,8 @@ function PutDescription() {
    @@ -189,7 +192,7 @@ name="groups" [% ' checked="checked"' IF ((group.membercontrol == constants.CONTROLMAPDEFAULT && user.in_group(group.group.name)) || (group.othercontrol == constants.CONTROLMAPDEFAULT && !user.in_group(group.group.name)) - || cgi.param("groups").contains(group.group.name)) %] + || cgi.multi_param("groups").contains(group.group.name)) %] value="[% group.group.name FILTER html %]">