Fix for bug 178800: fixes taint failure in graphical charts with Perl 5.6.0

r=gerv
a=justdave

diff --git a/report.cgi b/report.cgi
index 4c5952949012c7e01114444e5b1d4469ef530699..91d5074bcf67721ae7c11ff17ea0a2144fc7e900 100755 (executable)
--- a/report.cgi
+++ b/report.cgi
@@ -109,6 +109,17 @@ $columns{'target_milestone'} = "bugs.target_milestone";
 # so that we always select 3 items in the query.
 $columns{''}                 = "42217354";
 
+# Validate the values in the axis fields or throw an error.
+!$row_field 
+  || ($columns{$row_field} && trick_taint($row_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"x", val=>$row_field });
+!$col_field 
+  || ($columns{$col_field} && trick_taint($col_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"y", val=>$col_field });
+!$tbl_field 
+  || ($columns{$tbl_field} && trick_taint($tbl_field))
+  || ThrowCodeError("report_axis_invalid", { fld=>"z", val=>$tbl_field });
+
 my @axis_fields = ($row_field, $col_field, $tbl_field);
 
 my @selectnames = map($columns{$_}, @axis_fields);

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 42c07ab2d2d49c2371df8b7ea48f6dd3990208c4..d23234adcde78339dd08b032a17055c48ffc7925 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -176,6 +176,13 @@
   [% ELSIF error == "request_queue_group_invalid" %]
     The group field <em>[% group FILTER html %]</em> is invalid.
 
+  [% ELSIF error == "report_axis_invalid" %]
+    <em>[% variables.val FILTER html %]</em> is not a valid value for 
+    [%+ IF    variables.fld == "x" %]the horizontal axis
+    [%+ ELSIF variables.fld == "y" %]the vertical axis
+    [%+ ELSIF variables.fld == "z" %]the multiple tables/images
+    [%+ ELSE %]a report axis[% END %] field.
+
   [% ELSIF error == "token_generation_error" %]
     Something is seriously wrong with the token generation system.