From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 22 Dec 2015 16:53:56 +0000 (-0500)
Subject: Bug 1230932 - Providing a condition as an ID to the webservice results in a taint... 
X-Git-Tag: bugzilla-4.4.11~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc5cdf3a7f7b40faca8c0efeb567cdd21376460a;p=thirdparty%2Fbugzilla.git

Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error
r=dkl,a=dkl
---

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index f289caef46..722abd124f 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -51,6 +51,7 @@ use constant WS_ERROR_CODE => {
     number_too_large            => 54,
     number_too_small            => 55,
     illegal_date                => 56,
+    param_integer_array_required => 58,
     # Bug errors usually occupy the 100-200 range.
     improper_bug_id_field_value => 100,
     bug_id_does_not_exist       => 101,
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index c7d63b3366..7b2c2416d2 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -9,6 +9,9 @@ package Bugzilla::WebService::Util;
 use strict;
 use base qw(Exporter);
 
+use List::MoreUtils qw(all any);
+use Bugzilla::Error;
+
 # We have to "require", not "use" this, because otherwise it tries to
 # use features of Test::More during import().
 require Test::Taint;
@@ -103,7 +106,8 @@ sub validate  {
     # sent any parameters at all, and we're getting @keys where
     # $params should be.
     return ($self, undef) if (defined $params and !ref $params);
-    
+
+    my @id_params = qw( ids comment_ids );
     # If @keys is not empty then we convert any named 
     # parameters that have scalar values to arrayrefs
     # that match.
@@ -112,6 +116,12 @@ sub validate  {
             $params->{$key} = ref $params->{$key} 
                               ? $params->{$key} 
                               : [ $params->{$key} ];
+
+            if (any { $key eq $_ } @id_params) {
+                my $ids = $params->{$key};
+                ThrowCodeError('param_integer_array_required', { param => $key })
+                  unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
+            }
         }
     }
 
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index e4416326b3..cd0e3c2aac 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -290,6 +290,9 @@
     a <code>[% param FILTER html %]</code> argument, and that
     argument was not set.
 
+  [% ELSIF error == "param_integer_array_required" %]
+    The <code>[% param FILTER html %]</code> parameter must be an array of integers.
+
   [% ELSIF error == "params_required" %]
     [% title = "Missing Parameter" %]
     The function <code>[% function FILTER html %]</code> requires