From: lpsolit%gmail.com <>
Date: Wed, 19 Jul 2006 04:54:38 +0000 (+0000)
Subject: Bug 345032: Tainted value in request.cgi when restricting the search to a given flag... 
X-Git-Tag: bugzilla-2.23.3~248
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbf78711a9aca674dd1a2fa374e6501d1212531b;p=thirdparty%2Fbugzilla.git

Bug 345032: Tainted value in request.cgi when restricting the search to a given flag - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=myk
---

diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index b5bbbc87ba..6b3b7d15c1 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -461,14 +461,16 @@ sub sqlify_criteria {
     my @criteria = ("1=1");
 
     if ($criteria->{name}) {
-        push(@criteria, "flagtypes.name = " . $dbh->quote($criteria->{name}));
+        my $name = $dbh->quote($criteria->{name});
+        trick_taint($name); # Detaint data as we have quoted it.
+        push(@criteria, "flagtypes.name = $name");
     }
     if ($criteria->{target_type}) {
         # The target type is stored in the database as a one-character string
         # ("a" for attachment and "b" for bug), but this function takes complete
         # names ("attachment" and "bug") for clarity, so we must convert them.
-        my $target_type = $dbh->quote(substr($criteria->{target_type}, 0, 1));
-        push(@criteria, "flagtypes.target_type = $target_type");
+        my $target_type = $criteria->{target_type} eq 'bug'? 'b' : 'a';
+        push(@criteria, "flagtypes.target_type = '$target_type'");
     }
     if (exists($criteria->{is_active})) {
         my $is_active = $criteria->{is_active} ? "1" : "0";