From 4b5278c7ba3654533b551a9ab5fab1c40c58d74d Mon Sep 17 00:00:00 2001
From: "myk%mozilla.org" <>
Date: Thu, 8 Nov 2001 08:49:18 +0000
Subject: Fix for bug 108812: Prevent users from running queries containing
 arbitrary SQL. Patch by Jake <jake@acutex.net> r=bbaetz,myk

---
 buglist.cgi | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'buglist.cgi')

diff --git a/buglist.cgi b/buglist.cgi
index 0aba4ecc0..18ad053dc 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -187,10 +187,14 @@ sub GenerateSQL {
         push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]);
     }
 
-    if (defined $F{'sql'}) {
-        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
-        push(@wherepart, "( $F{'sql'} )");
-    }
+# This is evil.  We should never allow a user to directly append SQL to
+# any query without a huge amount of validation.  Even then, it would
+# be a bad idea.  Beware that uncommenting this will allow someone to
+# peak at virtually anything they want in the bugs database.
+#    if (defined $F{'sql'}) {
+#        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
+#        push(@wherepart, "( $F{'sql'} )");
+#    }
 
     my @legal_fields = ("product", "version", "rep_platform", "op_sys",
                         "bug_status", "resolution", "priority", "bug_severity",
-- 
cgit v1.2.3-24-g4f1b