From 8ec9b2e7dc3ae5ba965cdc2d6576d155ede269c2 Mon Sep 17 00:00:00 2001
From: "bbaetz%student.usyd.edu.au" <>
Date: Fri, 1 Feb 2002 07:51:38 +0000
Subject: Bug 122744 - charting fails taint checks r=daa@distributed.net, gerv

---
 reports.cgi | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'reports.cgi')

diff --git a/reports.cgi b/reports.cgi
index 0bdc062d1..7e97861fb 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -124,6 +124,10 @@ if (! defined $FORM{'product'}) {
       || DisplayError("You entered an invalid output type.") 
       && exit;
 
+    # We've checked that the product exists, and that the user can see it
+    # This means that is OK to detaint
+    trick_taint($FORM{'product'});
+
     # Output appropriate HTTP response headers
     print "Content-type: text/html\n";
     # Changing attachment to inline to resolve 46897 - zach@zachlipton.com
@@ -516,6 +520,19 @@ sub chart_image_type {
 sub chart_image_name {
     my ($data_file, $type) = @_;
 
+    # This routine generates a filename from the requested fields. The problem
+    # is that we have to check the safety of doing this. We can't just require
+    # that the fields exist, because what stats were collected could change
+    # over time (eg by changing the resolutions available)
+    # Instead, just require that each field name consists only of letters
+    # and number
+
+    if ($FORM{'datasets'} !~ m/[A-Za-z0-9:]/) {
+        die "Invalid datasets $FORM{'datasets'}";
+    }
+    # Since we pass the tests, consider it OK
+    trick_taint($FORM{'datasets'});
+
     # Cache charts by generating a unique filename based on what they
     # show. Charts should be deleted by collectstats.pl nightly.
     my $id = join ("_", split (":", $FORM{datasets}));
-- 
cgit v1.2.3-24-g4f1b