From fbf78711a9aca674dd1a2fa374e6501d1212531b Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Wed, 19 Jul 2006 04:54:38 +0000 Subject: Bug 345032: Tainted value in request.cgi when restricting the search to a given flag - Patch by Frédéric Buclin r/a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla/FlagType.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index b5bbbc87b..6b3b7d15c 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -461,14 +461,16 @@ sub sqlify_criteria { my @criteria = ("1=1"); if ($criteria->{name}) { - push(@criteria, "flagtypes.name = " . $dbh->quote($criteria->{name})); + my $name = $dbh->quote($criteria->{name}); + trick_taint($name); # Detaint data as we have quoted it. + push(@criteria, "flagtypes.name = $name"); } if ($criteria->{target_type}) { # The target type is stored in the database as a one-character string # ("a" for attachment and "b" for bug), but this function takes complete # names ("attachment" and "bug") for clarity, so we must convert them. - my $target_type = $dbh->quote(substr($criteria->{target_type}, 0, 1)); - push(@criteria, "flagtypes.target_type = $target_type"); + my $target_type = $criteria->{target_type} eq 'bug'? 'b' : 'a'; + push(@criteria, "flagtypes.target_type = '$target_type'"); } if (exists($criteria->{is_active})) { my $is_active = $criteria->{is_active} ? "1" : "0"; -- cgit v1.2.3-24-g4f1b