From 4e6767d4c3d1b0b583f4ec076992345545294748 Mon Sep 17 00:00:00 2001
From: "justdave%syndicomm.com" <>
Date: Sun, 20 Jan 2002 09:44:34 +0000
Subject: Fix for bug 108982: enable taint mode for all user-facing CGI files.
 Patch by Brad Baetz <bbaetz@student.usyd.edu.au> r= jake, justdave

---
 attachment.cgi | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index e5c3f52fe..5996aa86d 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -29,6 +29,8 @@
 use diagnostics;
 use strict;
 
+use lib qw(.);
+
 # Include the Bugzilla CGI and general utility library.
 require "CGI.pl";
 
@@ -139,10 +141,10 @@ exit;
 
 sub validateID
 {
-  # Validate the value of the "id" form field, which must contain a positive
+  # Validate the value of the "id" form field, which must contain an
   # integer that is the ID of an existing attachment.
 
-  $::FORM{'id'} =~ /^[1-9][0-9]*$/
+  detaint_natural($::FORM{'id'})
     || DisplayError("You did not enter a valid attachment number.") 
       && exit;
   
-- 
cgit v1.2.3-24-g4f1b