use base qw(Exporter);
@Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural
+ detaint_signed
html_quote url_quote value_quote xml_quote
css_class_quote
lsearch max min
return (defined($_[0]));
}
+sub detaint_signed {
+ $_[0] =~ /^([-+]?\d+)$/;
+ $_[0] = $1;
+ # Remove any leading plus sign.
+ if (defined($_[0]) && $_[0] =~ /^\+(\d+)$/) {
+ $_[0] = $1;
+ }
+ return (defined($_[0]));
+}
+
sub html_quote {
my ($var) = (@_);
$var =~ s/\&/\&/g;
$rv = is_tainted($var);
trick_taint($var);
detaint_natural($var);
+ detaint_signed($var);
# Functions for quoting
html_quote($var);
value passed in was a valid natural number, else it returns false. You
B<MUST> check the result of this routine to avoid security holes.
+=item C<detaint_signed($num)>
+
+This routine detaints a signed integer. It returns a true value if the
+value passed in was a valid signed integer, else it returns false. You
+B<MUST> check the result of this routine to avoid security holes.
+
=back
=head2 Quoting
<listitem>
<para>Enter the name of the Milestone in the "Milestone" field. You
can optionally set the "sortkey", which is a positive or negative
- number (-255 to 255) that defines where in the list this particular
+ number (-32768 to 32767) that defines where in the list this particular
milestone appears. This is because milestones often do not
occur in alphanumeric order For example, "Future" might be
after "Release 1.2". Select "Add".</para>
}
}
+sub CheckSortkey ($$)
+{
+ my ($milestone,$sortkey) = @_;
+
+ if (!detaint_signed($sortkey) || $sortkey < -32768 || $sortkey > 32767) {
+ print "The sortkey for a milestone must be a number between -32768 ";
+ print "and 32767 inclusive. Please press\n";
+ print "<b>Back</b> and try again.\n";
+ PutTrailer();
+ exit;
+ }
+
+ return $sortkey;
+}
+
#
# Displays the form to edit a milestone
PutTrailer($localtrailer);
exit;
}
- if (!detaint_natural($sortkey)) {
- print "The sortkey for a milestone must be a number. Please press\n";
- print "<b>Back</b> and try again.\n";
- PutTrailer($localtrailer);
- exit;
- }
+
+ $sortkey = CheckSortkey($milestone,$sortkey);
+
if (TestMilestone($product,$milestone)) {
print "The milestone '$milestone' already exists. Please press\n";
print "<b>Back</b> and try again.\n";
milestones WRITE,
products WRITE");
- if ($sortkey != $sortkeyold) {
- if (!detaint_natural($sortkey)) {
- print "The sortkey for a milestone must be a number. Please press\n";
- print "<b>Back</b> and try again.\n";
- PutTrailer($localtrailer);
- exit;
- }
+ if ($sortkey ne $sortkeyold) {
+ $sortkey = CheckSortkey($milestone,$sortkey);
SendSQL("UPDATE milestones SET sortkey=$sortkey
WHERE product_id=" . $product_id . "
AND value=" . SqlQuote($milestoneold));
projects / thirdparty / bugzilla.git / commitdiff
