From 861fef876f3cb8a50437ee41b6ba4c8d0cb1e239 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 5 Aug 2010 00:10:22 +0200 Subject: Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug ' or 'attachment ' where is greater than the max allowed integer r=mkanat a=LpSolit --- Bugzilla/Template.pm | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'Bugzilla/Template.pm') diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 4abc8a6ee..923336d45 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -268,21 +268,15 @@ sub get_attachment_link { my ($attachid, $link_text) = @_; my $dbh = Bugzilla->dbh; - detaint_natural($attachid) - || die "get_attachment_link() called with non-integer attachment number"; + my $attachment = new Bugzilla::Attachment($attachid); - my ($bugid, $isobsolete, $desc, $is_patch) = - $dbh->selectrow_array('SELECT bug_id, isobsolete, description, ispatch - FROM attachments WHERE attach_id = ?', - undef, $attachid); - - if ($bugid) { + if ($attachment) { my $title = ""; my $className = ""; - if (Bugzilla->user->can_see_bug($bugid)) { - $title = $desc; + if (Bugzilla->user->can_see_bug($attachment->bug_id)) { + $title = $attachment->description; } - if ($isobsolete) { + if ($attachment->isobsolete) { $className = "bz_obsolete"; } # Prevent code injection in the title. @@ -294,7 +288,7 @@ sub get_attachment_link { # If the attachment is a patch, try to link to the diff rather # than the text, by default. my $patchlink = ""; - if ($is_patch and Bugzilla->feature('patch_viewer')) { + if ($attachment->ispatch and Bugzilla->feature('patch_viewer')) { $patchlink = '&action=diff'; } -- cgit v1.2.3-24-g4f1b