Fix for bug 108812: Prevent users from running queries containing arbitrary SQL.

Patch by Jake <jake@acutex.net>
r=bbaetz,myk

diff --git a/buglist.cgi b/buglist.cgi
index 0aba4ecc08f3658f329a0da6f28f82574f4d5c72..18ad053dc2a670a54c8c430e562b883899f2b9df 100755 (executable)
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -187,10 +187,14 @@ sub GenerateSQL {
         push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]);
     }
 
-    if (defined $F{'sql'}) {
-        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
-        push(@wherepart, "( $F{'sql'} )");
-    }
+# This is evil.  We should never allow a user to directly append SQL to
+# any query without a huge amount of validation.  Even then, it would
+# be a bad idea.  Beware that uncommenting this will allow someone to
+# peak at virtually anything they want in the bugs database.
+#    if (defined $F{'sql'}) {
+#        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
+#        push(@wherepart, "( $F{'sql'} )");
+#    }
 
     my @legal_fields = ("product", "version", "rep_platform", "op_sys",
                         "bug_status", "resolution", "priority", "bug_severity",