Bug 783794: Bugzilla::User->visible_bugs should validate input data

r=glob a=LpSolit

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 0bf94508475ebacae54656ba5608c0d3eaffe8e8..6b509226f9359d6032e1526b1151785fa6d06188 100644 (file)
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -888,6 +888,14 @@ sub visible_bugs {
     if (@check_ids) {
         my $dbh = Bugzilla->dbh;
         my $user_id = $self->id;
+
+        foreach my $id (@check_ids) {
+            my $orig_id = $id;
+            detaint_natural($id)
+              || ThrowCodeError('param_must_be_numeric', { param    => $orig_id,
+                                                           function => 'Bugzilla::User->visible_bugs'});
+        }
+
         my $sth;
         # Speed up the can_see_bug case.
         if (scalar(@check_ids) == 1) {