From: justdave%syndicomm.com <>
Date: Mon, 3 Nov 2003 11:31:30 +0000 (+0000)
Subject: [SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an adminis... 
X-Git-Tag: bugzilla-2.17.5~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4e75a434f1fbbae4b438927ae02958baad7f1b7;p=thirdparty%2Fbugzilla.git

[SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword.
Patch by Joel Peshkin <bugreport@peshkin.net>
r= justdave, zach  a= justdave
---

diff --git a/editkeywords.cgi b/editkeywords.cgi
index 073dfbb9d4..7af0c1a6c2 100755
--- a/editkeywords.cgi
+++ b/editkeywords.cgi
@@ -126,6 +126,7 @@ unless (UserInGroup("editkeywords")) {
 
 
 my $action  = trim($::FORM{action}  || '');
+detaint_natural($::FORM{id});
 
 
 if ($action eq "") {