From 5c7b05750982bca4528c5acde579012f7ccf9120 Mon Sep 17 00:00:00 2001 From: Matt Tyson Date: Wed, 24 Feb 2016 19:07:20 -0500 Subject: Bug 1250786 - Detainting of params.json r=dylan,a=dylan --- Bugzilla/Config.pm | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'Bugzilla/Config.pm') diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index d47577212..64f228915 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -292,32 +292,23 @@ sub write_params { } sub read_param_file { - my %params; + my $params; my $file = bz_locations()->{'datadir'} . '/params.json'; if (-e $file) { my $data; read_file($file, binmode => ':utf8', buf_ref => \$data); + trick_taint($data); # If params.json has been manually edited and e.g. some quotes are # missing, we don't want JSON::XS to leak the content of the file # to all users in its error message, so we have to eval'uate it. - %params = eval { %{JSON::XS->new->decode($data)} }; + $params = eval { JSON::XS->new->decode($data) }; if ($@) { my $error_msg = (basename($0) eq 'checksetup.pl') ? $@ : 'run checksetup.pl to see the details.'; die "Error parsing $file: $error_msg"; } - # JSON::XS doesn't detaint data for us. - foreach my $key (keys %params) { - if (ref($params{$key}) eq "ARRAY") { - foreach my $item (@{$params{$key}}) { - trick_taint($item); - } - } else { - trick_taint($params{$key}) if defined $params{$key}; - } - } } elsif ($ENV{'SERVER_SOFTWARE'}) { # We're in a CGI, but the params file doesn't exist. We can't @@ -332,7 +323,7 @@ sub read_param_file { die "The $file file does not exist." . ' You probably need to run checksetup.pl.', } - return \%params; + return $params // {}; } 1; -- cgit v1.2.3-24-g4f1b