From: jocuri%softhome.net <>
Date: Fri, 9 Jul 2004 03:08:55 +0000 (+0000)
Subject: Patch for bug 250265: fix taint issues with vote fields when editing products; patch... 
X-Git-Tag: bugzilla-2.18rc1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3bbd08a2236dab41540bf4199b14c79ff25ae2ca;p=thirdparty%2Fbugzilla.git

Patch for bug 250265: fix taint issues with vote fields when editing products; patch by GavinS <bugzilla@chimpychompy.org> slightly updated by me; r=joel; a=justdave.
---

diff --git a/editproducts.cgi b/editproducts.cgi
index b0e6279e0f..f41aaa9e58 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -1075,12 +1075,24 @@ if ($action eq 'update') {
     CheckProduct($productold);
     my $product_id = get_product_id($productold);
 
-    if ($maxvotesperbug !~ /^\d+$/ || $maxvotesperbug <= 0) {
+    if (!detaint_natural($maxvotesperbug) || $maxvotesperbug == 0) {
         print "Sorry, the max votes per bug must be a positive integer.";
         PutTrailer($localtrailer);
         exit;
     }
 
+    if (!detaint_natural($votesperuser)) {
+        print "Sorry, the votes per user must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
+    if (!detaint_natural($votestoconfirm)) {
+        print "Sorry, the votes to confirm must be an integer >= 0.";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
     # Note that we got the $product_id using $productold above so it will
     # remain static even after we rename the product in the database.