Bug 783794: Bugzilla::User->visible_bugs should validate input data

author Frédéric Buclin <LpSolit@gmail.com>

Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)

committer Frédéric Buclin <LpSolit@gmail.com>

Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)
author Frédéric Buclin <LpSolit@gmail.com>
Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)
committer Frédéric Buclin <LpSolit@gmail.com>
Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm

index 87255b20a040d1170d0fce5d830594f4d52781e7..9fa7458e7130e5b7a0d6863a13e03050810c6c4c 100644 (file)
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -883,6 +883,14 @@ sub visible_bugs {
      if (@check_ids) {
          my $dbh = Bugzilla->dbh;
          my $user_id = $self->id;
+
+        foreach my $id (@check_ids) {
+            my $orig_id = $id;
+            detaint_natural($id)
+              || ThrowCodeError('param_must_be_numeric', { param    => $orig_id,
+                                                           function => 'Bugzilla::User->visible_bugs'});
+        }
+
          my $sth;
          # Speed up the can_see_bug case.
          if (scalar(@check_ids) == 1) {
author	Frédéric Buclin <LpSolit@gmail.com>
	Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Wed, 12 Sep 2012 23:44:01 +0000 (01:44 +0200)