From: myk%mozilla.org <>
Date: Thu, 8 Nov 2001 08:49:18 +0000 (+0000)
Subject: Fix for bug 108812: Prevent users from running queries containing arbitrary SQL.
X-Git-Tag: bugzilla-2.14.1~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b5278c7ba3654533b551a9ab5fab1c40c58d74d;p=thirdparty%2Fbugzilla.git

Fix for bug 108812: Prevent users from running queries containing arbitrary SQL.
Patch by Jake <jake@acutex.net>
r=bbaetz,myk
---

diff --git a/buglist.cgi b/buglist.cgi
index 0aba4ecc08..18ad053dc2 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -187,10 +187,14 @@ sub GenerateSQL {
         push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]);
     }
 
-    if (defined $F{'sql'}) {
-        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
-        push(@wherepart, "( $F{'sql'} )");
-    }
+# This is evil.  We should never allow a user to directly append SQL to
+# any query without a huge amount of validation.  Even then, it would
+# be a bad idea.  Beware that uncommenting this will allow someone to
+# peak at virtually anything they want in the bugs database.
+#    if (defined $F{'sql'}) {
+#        die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
+#        push(@wherepart, "( $F{'sql'} )");
+#    }
 
     my @legal_fields = ("product", "version", "rep_platform", "op_sys",
                         "bug_status", "resolution", "priority", "bug_severity",