}
else {
# Insert the new series into the series table
- trick_taint($self->{'query'});
$dbh->do("INSERT INTO series (creator, category, subcategory, " .
"name, frequency, query) VALUES ($self->{'creator'}, " .
"$category_id, $subcategory_id, " .
my $dobugcounts = (defined $::FORM{'dobugcounts'});
-
+my $cgi = Bugzilla->cgi;
# TestProduct: just returns if the specified product does exists
# CheckProduct: same check, optionally emit an error text
# For localisation reasons, we get the title of the queries from the
# submitted form.
+ my $open_name = $cgi->param('open_name');
+ my $closed_name = $cgi->param('closed_name');
my @openedstatuses = ("UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED");
- my $statuses = join("&", map { "bug_status=$_" } @openedstatuses);
- push(@series, [$::FORM{'open_name'}, $statuses . $prodcomp]);
-
- my $resolved = "field0-0-0=resolution&type0-0-0=notequals&value0-0-0=---";
- push(@series, [$::FORM{'closed_name'}, $resolved . $prodcomp]);
+ my $statuses = join("&", map { "bug_status=$_" } @openedstatuses) . $prodcomp;
+ my $resolved = "field0-0-0=resolution&type0-0-0=notequals&value0-0-0=---" . $prodcomp;
+
+ # trick_taint is ok here, as these variables aren't used as a command
+ # or in SQL unquoted
+ trick_taint($open_name);
+ trick_taint($closed_name);
+ trick_taint($statuses);
+ trick_taint($resolved);
+
+ push(@series, [$open_name, $statuses]);
+ push(@series, [$closed_name, $resolved]);
foreach my $sdata (@series) {
my $series = new Bugzilla::Series(undef, $product, $component,
projects / thirdparty / bugzilla.git / commitdiff
