From 7380ea9ae11764633a4b6e64850da2d84b2aaeb2 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Fri, 11 Sep 2009 16:10:13 +0000
Subject: Bug 515191: [SECURITY] SQL Injection via Bug.search (CVE-2009-3125)
 and Bug.create (CVE-2009-3165) Patch by Max Kanat-Alexander
 <mkanat@bugzilla.org> r=LpSolit, a=mkanat

---
 Bugzilla/Object.pm | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Object.pm')

diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm
index bb8b45d76..456888b38 100644
--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -169,7 +169,19 @@ sub match {
         next if $field eq 'OFFSET';
         if ( $field eq 'LIMIT' ) {
             next unless defined $value;
-            $postamble = $dbh->sql_limit( $value, $criteria->{OFFSET} );
+            detaint_natural($value)
+              or ThrowCodeError('param_must_be_numeric', 
+                                { param    => 'LIMIT', 
+                                  function => "${class}::match" });
+            my $offset;
+            if (defined $criteria->{OFFSET}) {
+                $offset = $criteria->{OFFSET};
+                detaint_signed($offset)
+                  or ThrowCodeError('param_must_be_numeric', 
+                                    { param    => 'OFFSET',
+                                      function => "${class}::match" });
+            }
+            $postamble = $dbh->sql_limit($value, $offset);
             next;
         }
         elsif ( $field eq 'WHERE' ) {
@@ -185,6 +197,8 @@ sub match {
             next;
         }
         
+        $class->_check_field($field, 'match');
+
         if (ref $value eq 'ARRAY') {
             # IN () is invalid SQL, and if we have an empty list
             # to match against, we're just returning an empty
@@ -364,6 +378,17 @@ sub create {
     return $object;
 }
 
+# Used to validate that a field name is in fact a valid column in the
+# current table before inserting it into SQL.
+sub _check_field {
+    my ($invocant, $field, $function) = @_;
+    my $class = ref($invocant) || $invocant;
+    if (!Bugzilla->dbh->bz_column_info($class->DB_TABLE, $field)) {
+        ThrowCodeError('param_invalid', { param    => $field,
+                                          function => "${class}::$function" });
+    }
+}
+
 sub check_required_create_fields {
     my ($class, $params) = @_;
 
@@ -406,6 +431,7 @@ sub insert_create_data {
 
     my (@field_names, @values);
     while (my ($field, $value) = each %$field_values) {
+        $class->_check_field($field, 'create');
         push(@field_names, $field);
         push(@values, $value);
     }
-- 
cgit v1.2.3-24-g4f1b