From: justdave%syndicomm.com <>
Date: Mon, 3 Nov 2003 11:46:55 +0000 (+0000)
Subject: [SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an adminis... 
X-Git-Tag: bugzilla-2.16.4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a645ea4e5cb30680020e27842527009002cc66ee;p=thirdparty%2Fbugzilla.git

[SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword.
Patch by Joel Peshkin <bugreport@peshkin.net>
r= justdave, zach   a= justdave
---

diff --git a/editkeywords.cgi b/editkeywords.cgi
index 51294206dc..2dbbeb6f3c 100755
--- a/editkeywords.cgi
+++ b/editkeywords.cgi
@@ -123,6 +123,7 @@ unless (UserInGroup("editkeywords")) {
 
 
 my $action  = trim($::FORM{action}  || '');
+detaint_natural($::FORM{id});
 
 
 if ($action eq "") {