From 668ec7dae535ce543f13ef5a36830da7421e1e68 Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Sun, 30 Dec 2001 13:46:24 +0000 Subject: SECURITY FIX for bug 109679: It was possible to send arbitrary SQL to buglist.cgi by altering the HTML form before submitting. Patch by Dave Miller r= dkl, gerv --- buglist.cgi | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'buglist.cgi') diff --git a/buglist.cgi b/buglist.cgi index d49e7ed25..d74563f25 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -639,7 +639,14 @@ sub GenerateSQL { push(@funcnames, $key); } + # first we delete any sign of "Chart #-1" from the HTML form hash + # since we want to guarantee the user didn't hide something here + my @badcharts = grep /^(field|type|value)-1-/, (keys %F); + foreach my $field (@badcharts) { + delete $F{$field}; + } + # now we take our special chart and stuff it into the form hash my $chart = -1; my $row = 0; foreach my $ref (@specialchart) { @@ -738,6 +745,13 @@ sub GenerateSQL { # out duplicates. # $suppstring = String which is pasted into query containing all table names + # get a list of field names to verify the user-submitted chart fields against + my %chartfields; + SendSQL("SELECT name FROM fielddefs"); + while (MoreSQLData()) { + my ($name) = FetchSQLData(); + $chartfields{$name} = 1; + } $row = 0; for ($chart=-1 ; @@ -759,6 +773,16 @@ sub GenerateSQL { if ($f eq "noop" || $t eq "noop" || $v eq "") { next; } + # chart -1 is generated by other code above, not from the user- + # submitted form, so we'll blindly accept any values in chart -1 + if ((!$chartfields{$f}) && ($chart != -1)) { + my $errstr = "Can't use " . html_quote($f) . " as a field name. " . + "If you think you're getting this in error, please copy the " . + "entire URL out of the address bar at the top of your browser " . + "window and email it to <109679\@bugzilla.org>"; + die "Internal error: $errstr" if $chart < 0; + return Error($errstr); + } $q = SqlQuote($v); my $func; $term = undef; -- cgit v1.2.3-24-g4f1b