From: justdave%syndicomm.com <>
Date: Mon, 3 Nov 2003 11:44:38 +0000 (+0000)
Subject: [SECURITY] Bug 214290: A user with 'editproducts' privileges (i.e. usually an adminis... 
X-Git-Tag: bugzilla-2.16.4~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3721adcbb24af056e245622f2fc4bdfabe97965e;p=thirdparty%2Fbugzilla.git

[SECURITY] Bug 214290: A user with 'editproducts' privileges (i.e. usually an administrator) can select arbitrary SQL to be run by the nightly statistics cron job (collectstats.pl), by giving a product a special name.
Patch by Dave Miller <justdave@bugzilla.org>
r= gerv, bbaetz   a= justdave
---

diff --git a/collectstats.pl b/collectstats.pl
index 2a29bb9f5c..5d96e5b16d 100755
--- a/collectstats.pl
+++ b/collectstats.pl
@@ -82,7 +82,7 @@ sub collect_stats {
             if( $product eq "-All-" ) {
                 SendSQL("select count(bug_status) from bugs where bug_status='$status'");
             } else {
-                SendSQL("select count(bug_status) from bugs where bug_status='$status' and product='$product'");
+                SendSQL("select count(bug_status) from bugs where bug_status='$status' and product=" . SqlQuote($product));
             }
 
             push @row, FetchOneColumn();
@@ -92,7 +92,7 @@ sub collect_stats {
             if( $product eq "-All-" ) {
                 SendSQL("select count(resolution) from bugs where resolution='$resolution'");
             } else {
-                SendSQL("select count(resolution) from bugs where resolution='$resolution' and product='$product'");
+                SendSQL("select count(resolution) from bugs where resolution='$resolution' and product=" . SqlQuote($product));
             }
 
             push @row, FetchOneColumn();