From 1e7b4002794930fad702718714b5d1c291bf816c Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Mon, 21 Dec 2015 22:27:52 +0000
Subject: Bug 1234325 - Backport upstream bug 1230932 to bmo/4.2 to fix
 providing a condition as an ID to the webservice results in a taint error

---
 Bugzilla/WebService/Bug.pm       |  4 ++++
 Bugzilla/WebService/Constants.pm |  2 ++
 Bugzilla/WebService/Util.pm      | 10 +++++++++-
 3 files changed, 15 insertions(+), 1 deletion(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index d7a1d8f9b..1437700ac 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -1273,6 +1273,10 @@ sub update_comment_tags {
                           { function => 'Bug.update_comment_tags',
                             param    => 'comment_id' });
 
+    ThrowCodeError("param_integer_required", { function => 'Bug.update_comment_tags',
+                                               param => 'comment_id' })
+      unless $comment_id =~ /^[0-9]+$/;
+
     my $comment = Bugzilla::Comment->new($comment_id)
         || return [];
     $comment->bug->check_is_visible();
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 758fdebde..0aa803cc8 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -76,6 +76,8 @@ use constant WS_ERROR_CODE => {
     number_too_large            => 54,
     number_too_small            => 55,
     illegal_date                => 56,
+    param_integer_required      => 57,
+    param_integer_array_required => 58,
     # Bug errors usually occupy the 100-200 range.
     improper_bug_id_field_value => 100,
     bug_id_does_not_exist       => 101,
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index 4280f28e6..e4c3eda44 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -29,6 +29,7 @@ use Bugzilla::WebService::Constants;
 
 use Storable qw(dclone);
 use URI::Escape qw(uri_unescape);
+use List::MoreUtils qw(all any);
 
 use base qw(Exporter);
 
@@ -231,7 +232,8 @@ sub validate  {
     # sent any parameters at all, and we're getting @keys where
     # $params should be.
     return ($self, undef) if (defined $params and !ref $params);
-    
+
+    my @id_params = qw( ids comment_ids );
     # If @keys is not empty then we convert any named 
     # parameters that have scalar values to arrayrefs
     # that match.
@@ -240,6 +242,12 @@ sub validate  {
             $params->{$key} = ref $params->{$key} 
                               ? $params->{$key} 
                               : [ $params->{$key} ];
+
+            if (any { $key eq $_ } @id_params) {
+                my $ids = $params->{$key};
+                ThrowCodeError('param_integer_array_required', { param => $key })
+                  unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
+            }
         }
     }
 
-- 
cgit v1.2.3-24-g4f1b