From: mkanat%bugzilla.org <> Date: Fri, 11 Sep 2009 16:17:34 +0000 (+0000) Subject: Bug 515191: [SECURITY] SQL Injection via Bug.create (CVE-2009-3165) X-Git-Tag: bugzilla-3.0.10~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ea6848fd98842d88631f4d5eaf19ff80238dc3c;p=thirdparty%2Fbugzilla.git Bug 515191: [SECURITY] SQL Injection via Bug.create (CVE-2009-3165) --- diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm old mode 100755 new mode 100644 index 0313d76d5f..480e5fb96e --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -113,6 +113,8 @@ sub create { my %field_values; foreach my $field (keys %$params) { my $field_name = FIELD_MAP->{$field} || $field; + # Prevent SQL Injection via key names. + _check_valid_field($field); $field_values{$field_name} = $params->{$field}; } @@ -172,6 +174,17 @@ sub legal_values { return { values => \@result }; } +sub _check_valid_field { + my $field = shift; + # We add qa_contact in manually because it should always be available in + # the API even if useqacontact is off. + my @valid_fields = (Bugzilla::Bug->fields, values %{ FIELD_MAP() }, + 'qa_contact'); + if (!grep($_ eq $field, @valid_fields)) { + ThrowCodeError('invalid_field_name', { field => $field }); + } +} + 1; __END__ @@ -450,6 +463,10 @@ you don't have permission to enter bugs in this product. You didn't specify a summary for the bug. +=item 108 (Invalid Field Name) + +You specified a field that doesn't exist as an argument to this function. + =item 504 (Invalid User) Either the QA Contact, Assignee, or CC lists have some invalid user @@ -461,6 +478,9 @@ in them. The error message will have more details. =over +=item Error 108 is only thrown by this function in the 3.0 branch, starting +with B<3.0.9>. + =item Before B<3.0.4>, parameters marked as B were actually B, due to a bug in Bugzilla.