push(@funcnames, $key);
}
+ # first we delete any sign of "Chart #-1" from the HTML form hash
+ # since we want to guarantee the user didn't hide something here
+ my @badcharts = grep /^(field|type|value)-1-/, (keys %F);
+ foreach my $field (@badcharts) {
+ delete $F{$field};
+ }
+ # now we take our special chart and stuff it into the form hash
my $chart = -1;
my $row = 0;
foreach my $ref (@specialchart) {
# out duplicates.
# $suppstring = String which is pasted into query containing all table names
+ # get a list of field names to verify the user-submitted chart fields against
+ my %chartfields;
+ SendSQL("SELECT name FROM fielddefs");
+ while (MoreSQLData()) {
+ my ($name) = FetchSQLData();
+ $chartfields{$name} = 1;
+ }
$row = 0;
for ($chart=-1 ;
if ($f eq "noop" || $t eq "noop" || $v eq "") {
next;
}
+ # chart -1 is generated by other code above, not from the user-
+ # submitted form, so we'll blindly accept any values in chart -1
+ if ((!$chartfields{$f}) && ($chart != -1)) {
+ my $errstr = "Can't use " . html_quote($f) . " as a field name. " .
+ "If you think you're getting this in error, please copy the " .
+ "entire URL out of the address bar at the top of your browser " .
+ "window and email it to <109679\@bugzilla.org>";
+ die "Internal error: $errstr" if $chart < 0;
+ return Error($errstr);
+ }
$q = SqlQuote($v);
my $func;
$term = undef;
projects / thirdparty / bugzilla.git / commitdiff
