From 7380ea9ae11764633a4b6e64850da2d84b2aaeb2 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Fri, 11 Sep 2009 16:10:13 +0000
Subject: Bug 515191: [SECURITY] SQL Injection via Bug.search (CVE-2009-3125)
 and Bug.create (CVE-2009-3165) Patch by Max Kanat-Alexander
 <mkanat@bugzilla.org> r=LpSolit, a=mkanat

---
 Bugzilla/WebService/Bug.pm | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Bugzilla/WebService/Bug.pm')

diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index c6d620976..44382e79f 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -258,6 +258,7 @@ sub search {
     }
     
     $params = _map_fields($params);
+    delete $params->{WHERE};
     
     # Do special search types for certain fields.
     if ( my $bug_when = delete $params->{delta_ts} ) {
-- 
cgit v1.2.3-24-g4f1b