From: Frédéric Buclin <LpSolit@gmail.com>
Date: Fri, 27 Jan 2012 21:28:45 +0000 (+0100)
Subject: Bug 721715: URLs in the See Also field must be detainted before inserted into the DB
X-Git-Tag: bugzilla-4.2rc2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba6261338264e750809ae1b3f228440e8bccf6db;p=thirdparty%2Fbugzilla.git

Bug 721715: URLs in the See Also field must be detainted before inserted into the DB
r=dkl a=LpSolit
---

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index ddfe570285..a848c866b7 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2853,14 +2853,13 @@ sub add_see_also {
     $class->check_required_create_fields($params);
 
     my $field_values = $class->run_create_validators($params);
-    $uri = $field_values->{value};
-    $field_values->{value} = $uri->as_string;
+    my $value = $field_values->{value}->as_string;
+    trick_taint($value);
+    $field_values->{value} = $value;
 
     # We only add the new URI if it hasn't been added yet. URIs are
     # case-sensitive, but most of our DBs are case-insensitive, so we do
     # this check case-insensitively.
-    my $value = $uri->as_string;
-
     if (!grep { lc($_->name) eq lc($value) } @{ $self->see_also }) {
         my $privs;
         my $can = $self->check_can_change_field('see_also', '', $value, \$privs);