Patch for bug 250265: fix taint issues with vote fields when editing products; patch...

diff --git a/editproducts.cgi b/editproducts.cgi
index b0e6279e0f082024d053e28534f997f5f8337c6e..f41aaa9e58d64abbebc13024d83842b774124f9d 100755 (executable)
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -1075,12 +1075,24 @@ if ($action eq 'update') {
     CheckProduct($productold);
     my $product_id = get_product_id($productold);
 
-    if ($maxvotesperbug !~ /^\d+$/ || $maxvotesperbug <= 0) {
+    if (!detaint_natural($maxvotesperbug) || $maxvotesperbug == 0) {
         print "Sorry, the max votes per bug must be a positive integer.";
         PutTrailer($localtrailer);
         exit;
     }
 
+    if (!detaint_natural($votesperuser)) {
+        print "Sorry, the votes per user must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
+    if (!detaint_natural($votestoconfirm)) {
+        print "Sorry, the votes to confirm must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
     # Note that we got the $product_id using $productold above so it will
     # remain static even after we rename the product in the database.