From a86ee3a1ca5213d5401c6425cfb0fcfc7bb15e78 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Tue, 31 Mar 2009 06:37:53 +0000
Subject: Bug 432907: Create a JSON frontend for WebServices Patch by Max
 Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat

---
 Bugzilla/Object.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Object.pm')

diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm
index adc96fa50..6cca49e45 100644
--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -219,7 +219,12 @@ sub _do_list_select {
     $sql .= " $postamble" if $postamble;
         
     my $dbh = Bugzilla->dbh;
-    my $objects = $dbh->selectall_arrayref($sql, {Slice=>{}}, @$values);
+    # Sometimes the values are tainted, but we don't want to untaint them
+    # for the caller. So we copy the array. It's safe to untaint because
+    # they're only used in placeholders here.
+    my @untainted = @{ $values || [] };
+    trick_taint($_) foreach @untainted;
+    my $objects = $dbh->selectall_arrayref($sql, {Slice=>{}}, @untainted);
     bless ($_, $class) foreach @$objects;
     return $objects
 }
-- 
cgit v1.2.3-24-g4f1b