]> git.ipfire.org Git - thirdparty/bugzilla.git/commitdiff
projects / thirdparty / bugzilla.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2cb3a45)
Bug 329783: SQL crash in request.cgi when the status field is used - Patch by Frédéri...
authorlpsolit%gmail.com <>
Wed, 22 Mar 2006 02:50:13 +0000 (02:50 +0000)
committerlpsolit%gmail.com <>
Wed, 22 Mar 2006 02:50:13 +0000 (02:50 +0000)
request.cgi patch | blob | blame | history

diff --git a/request.cgi b/request.cgi
index 344fb20281d080ad50023d729a6794b1e0ca1cc1..d91846488df60ad4fbe7ab6dd0e820cf0e6496a0 100755 (executable)
--- a/request.cgi
+++ b/request.cgi
@@ -57,10 +57,10 @@ exit;
 sub queue {
     my $cgi = Bugzilla->cgi;
     my $dbh = Bugzilla->dbh;
-    
-    validateStatus($cgi->param('status'));
-    validateGroup($cgi->param('group'));
-    
+
+    my $status = validateStatus($cgi->param('status'));
+    my $form_group = validateGroup($cgi->param('group'));
+
     my $attach_join_clause = "flags.attach_id = attachments.attach_id";
     if (Param("insidergroup") && !UserInGroup(Param("insidergroup"))) {
         $attach_join_clause .= " AND attachments.isprivate < 1";
@@ -120,7 +120,7 @@ sub queue {
     $query .= " AND flags.is_active = 1 ";
     
     # Limit query to pending requests.
-    $query .= " AND flags.status = '?' " unless $cgi->param('status');
+    $query .= " AND flags.status = '?' " unless $status;
 
     # The set of criteria by which we filter records to display in the queue.
     my @criteria = ();
@@ -134,13 +134,13 @@ sub queue {
     
     # Filter requests by status: "pending", "granted", "denied", "all" 
     # (which means any), or "fulfilled" (which means "granted" or "denied").
-    if ($cgi->param('status')) {
-        if ($cgi->param('status') eq "+-") {
+    if ($status) {
+        if ($status eq "+-") {
             push(@criteria, "flags.status IN ('+', '-')");
             push(@excluded_columns, 'status') unless $cgi->param('do_union');
         }
-        elsif ($cgi->param('status') ne "all") {
-            push(@criteria, "flags.status = '" . $cgi->param('status') . "'");
+        elsif ($status ne "all") {
+            push(@criteria, "flags.status = '$status'");
             push(@excluded_columns, 'status') unless $cgi->param('do_union');
         }
     }
@@ -220,7 +220,6 @@ sub queue {
     # so the loop in the display template can break them up into separate
     # tables every time the value in the group column changes.
 
-    my $form_group = $cgi->param('group');
     $form_group ||= "requestee";
     if ($form_group eq "requester") {
         $query .= " ORDER BY requesters.realname, requesters.login_name";
@@ -294,20 +293,24 @@ sub queue {
 ################################################################################
 
 sub validateStatus {
-    my $status = $_[0];
+    my $status = shift;
     return if !defined $status;
-    
+
     grep($status eq $_, qw(? +- + - all))
       || ThrowCodeError("flag_status_invalid",
                         { status => $status });
+    trick_taint($status);
+    return $status;
 }
 
 sub validateGroup {
-    my $group = $_[0];
+    my $group = shift;
     return if !defined $group;
-    
+
     grep($group eq $_, qw(requester requestee category type))
       || ThrowCodeError("request_queue_group_invalid", 
                         { group => $group });
+    trick_taint($group);
+    return $group;
 }
 
Mirror of https://github.com/bugzilla/bugzilla.git