From 1d9fe70befbe375184f3de1e48e1aa168bf6503d Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Tue, 6 Nov 2001 04:43:35 +0000 Subject: SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a bug pretending to be someone else if you edited the HTML by hand before submitting. Patch by Dave Miller r= bbaetz, jake --- post_bug.cgi | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) (limited to 'post_bug.cgi') diff --git a/post_bug.cgi b/post_bug.cgi index 4fc7e9c99..bcbef7bb3 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -103,10 +103,7 @@ if ($::FORM{'assigned_to'} eq "") { $::FORM{'assigned_to'} = DBNameToIdAndCheck($::FORM{'assigned_to'}); } -$::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'}); - - -my @bug_fields = ("reporter", "product", "version", "rep_platform", +my @bug_fields = ("product", "version", "rep_platform", "bug_severity", "priority", "op_sys", "assigned_to", "bug_status", "bug_file_loc", "short_desc", "component", "target_milestone"); @@ -145,7 +142,6 @@ if (!exists $::FORM{'target_milestone'}) { if ( Param("strictvaluechecks") ) { GetVersionTable(); - CheckFormField(\%::FORM, 'reporter'); CheckFormField(\%::FORM, 'product', \@::legal_product); CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}}); CheckFormField(\%::FORM, 'target_milestone', @@ -174,7 +170,7 @@ if (exists $::FORM{'bug_status'} && $::FORM{'bug_status'} ne $::unconfirmedstate } my $query = "INSERT INTO bugs (\n" . join(",\n", @used_fields) . ", -creation_ts, groupset) +reporter, creation_ts, groupset) VALUES ( "; @@ -182,17 +178,17 @@ foreach my $field (@used_fields) { # fix for 42609. if there is a http:// only in bug_file_loc, strip # it out and send an empty value. if ($field eq 'bug_file_loc') { - if ($::FORM{$field} eq 'http://') { - $::FORM{$field} = ""; - $query .= SqlQuote($::FORM{$field}) . ",\n"; - next; - } - else { - $query .= SqlQuote($::FORM{$field}) . ",\n"; - } + if ($::FORM{$field} eq 'http://') { + $::FORM{$field} = ""; + $query .= SqlQuote($::FORM{$field}) . ",\n"; + next; + } + else { + $query .= SqlQuote($::FORM{$field}) . ",\n"; + } } else { - $query .= SqlQuote($::FORM{$field}) . ",\n"; + $query .= SqlQuote($::FORM{$field}) . ",\n"; } } @@ -204,7 +200,7 @@ $comment = trim($comment); # OK except for the fact that it causes e-mail to be suppressed. $comment = $comment ? $comment : " "; -$query .= "now(), (0"; +$query .= "$::userid, now(), (0"; foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) { if ($::FORM{$b}) { @@ -251,7 +247,7 @@ SendSQL("select LAST_INSERT_ID()"); my $id = FetchOneColumn(); SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext) VALUES " . - "($id, $::FORM{'reporter'}, now(), " . SqlQuote($comment) . ")"); + "($id, $::userid, now(), " . SqlQuote($comment) . ")"); foreach my $person (keys %ccids) { SendSQL("insert into cc (bug_id, who) values ($id, $person)"); -- cgit v1.2.3-24-g4f1b