From 4e6767d4c3d1b0b583f4ec076992345545294748 Mon Sep 17 00:00:00 2001
From: "justdave%syndicomm.com" <>
Date: Sun, 20 Jan 2002 09:44:34 +0000
Subject: Fix for bug 108982: enable taint mode for all user-facing CGI files.
 Patch by Brad Baetz <bbaetz@student.usyd.edu.au> r= jake, justdave

---
 CGI.pl | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'CGI.pl')

diff --git a/CGI.pl b/CGI.pl
index e245c1db4..16ec7f2d8 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -93,6 +93,9 @@ sub url_quote {
 
 
 sub ParseUrlString {
+    # We don't want to detaint the user supplied data...
+    use re 'taint';
+
     my ($buffer, $f, $m) = (@_);
     undef %$f;
     undef %$m;
@@ -118,6 +121,7 @@ sub ParseUrlString {
             $name = $item;
             $value = "";
         }
+
         if ($value ne "") {
             if (defined $f->{$name}) {
                 $f->{$name} .= $value;
@@ -141,7 +145,6 @@ sub ParseUrlString {
     }
 }
 
-
 sub ProcessFormFields {
     my ($buffer) = (@_);
     return ParseUrlString($buffer, \%::FORM, \%::MFORM);
@@ -259,18 +262,18 @@ sub ValidateBugID {
     # Validates and verifies a bug ID, making sure the number is a 
     # positive integer, that it represents an existing bug in the
     # database, and that the user is authorized to access that bug.
+    # We detaint the number here, too
 
-    my ($id) = @_;
-
-    # Make sure the bug number is a positive integer.
-    # Whitespace can be ignored because the SQL server will ignore it.
-    $id =~ /^\s*([1-9][0-9]*)\s*$/
+    $_[0] = trim($_[0]); # Allow whitespace arround the number
+    detaint_natural($_[0])
       || DisplayError("The bug number is invalid. If you are trying to use " .
                       "QuickSearch, you need to enable JavaScript in your " .
                       "browser. To help us fix this limitation, look " .
                       "<a href=\"http://bugzilla.mozilla.org/show_bug.cgi?id=70907\">here</a>.") 
       && exit;
 
+    my ($id) = @_;
+
     # Get the values of the usergroupset and userid global variables
     # and write them to local variables for use within this function,
     # setting those local variables to the default value of zero if
@@ -685,6 +688,8 @@ sub quietly_check_login() {
                     $::COOKIE{"Bugzilla_login"} = $loginname; # Makes sure case
                                                               # is in
                                                               # canonical form.
+                    # We've just verified that this is ok
+                    detaint_natural($::COOKIE{"Bugzilla_logincookie"});
                 } else {
                     $::disabledreason = $disabledtext;
                 }
@@ -1430,6 +1435,8 @@ if (defined $ENV{"REQUEST_METHOD"}) {
 
 
 if (defined $ENV{"HTTP_COOKIE"}) {
+    # Don't trust anything which came in as a cookie
+    use re 'taint';
     foreach my $pair (split(/;/, $ENV{"HTTP_COOKIE"})) {
         $pair = trim($pair);
         if ($pair =~ /^([^=]*)=(.*)$/) {
-- 
cgit v1.2.3-24-g4f1b