Bug 170986 - General Summary reports don't work with taint checking. Also fixes Throw...

diff --git a/CGI.pl b/CGI.pl
index b9504983b116649a22298768e173503bba26b25a..d6c040978e8c26b78f00d573d70ddc752ff3a45f 100644 (file)
--- a/CGI.pl
+++ b/CGI.pl
@@ -854,8 +854,10 @@ sub ThrowCodeError {
   SendSQL("UNLOCK TABLES") if $unlock_tables;
   
   # Copy the extra_vars into the vars hash 
-  @::vars{keys %$extra_vars} = values %$extra_vars;
-
+  foreach my $var (keys %$extra_vars) {
+      $vars->{$var} = $extra_vars->{$var};
+  }
+  
   # We may one day log something to file here also.
   $vars->{'variables'} = $extra_vars;
   
@@ -873,8 +875,10 @@ sub ThrowUserError {
   SendSQL("UNLOCK TABLES") if $unlock_tables;
  
   # Copy the extra_vars into the vars hash 
-  @::vars{keys %$extra_vars} = values %$extra_vars;
-
+  foreach my $var (keys %$extra_vars) {
+      $vars->{$var} = $extra_vars->{$var};
+  }
+  
   print "Content-type: text/html\n\n" if !$vars->{'header_done'};
   $template->process("global/user-error.html.tmpl", $vars)
     || ThrowTemplateError($template->error());

diff --git a/globals.pl b/globals.pl
index 64031bc8534930b150d6b1c09138ec710a24ef64..a6a751562847a961e1357b8e1cb3f3db89ec3ec6 100644 (file)
--- a/globals.pl
+++ b/globals.pl
@@ -1637,6 +1637,8 @@ sub GetFormat {
     # Security - allow letters and a hyphen only
     $ctype =~ s/[^a-zA-Z\-]//g;
     $format =~ s/[^a-zA-Z\-]//g;
+    trick_taint($ctype);
+    trick_taint($format);
     
     $template .= ($format ? "-$format" : "");
     $template .= ".$ctype.tmpl";