From 0f832a59ab1a0670b7c3f2fb52cb2131bffc1dbc Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Wed, 20 Jul 2005 18:29:32 +0000 Subject: [PATCH] =?utf8?q?Bug=20285112:=20Move=20ValidateBugID=20out=20of?= =?utf8?q?=20CGI.pl=20-=20Patch=20by=20Fr=C3=A9d=C3=A9ric=20Buclin=20=20r=3Djoel,wicked=20a=3Djustdave?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- Bugzilla/Bug.pm | 46 ++++++++++++++++++++++++++++++++++++++++- CGI.pl | 45 ---------------------------------------- showdependencygraph.cgi | 1 + showdependencytree.cgi | 1 + 4 files changed, 47 insertions(+), 46 deletions(-) diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 32030a7c2c..a82df3b69b 100755 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -50,7 +50,7 @@ use Bugzilla::Error; use base qw(Exporter); @Bugzilla::Bug::EXPORT = qw( AppendComment ValidateComment - bug_alias_to_id ValidateBugAlias + bug_alias_to_id ValidateBugAlias ValidateBugID RemoveVotes CheckIfVotedConfirmed ); @@ -1102,6 +1102,50 @@ sub CheckIfVotedConfirmed { # Field Validation # +# Validates and verifies a bug ID, making sure the number is a +# positive integer, that it represents an existing bug in the +# database, and that the user is authorized to access that bug. +# We detaint the number here, too. +sub ValidateBugID { + my ($id, $field) = @_; + my $dbh = Bugzilla->dbh; + my $user = Bugzilla->user; + + # Get rid of white-space around the ID. + $id = trim($id); + + # If the ID isn't a number, it might be an alias, so try to convert it. + my $alias = $id; + if (!detaint_natural($id)) { + $id = bug_alias_to_id($alias); + $id || ThrowUserError("invalid_bug_id_or_alias", + {'bug_id' => $alias, + 'field' => $field }); + } + + # Modify the calling code's original variable to contain the trimmed, + # converted-from-alias ID. + $_[0] = $id; + + # First check that the bug exists + $dbh->selectrow_array("SELECT bug_id FROM bugs WHERE bug_id = ?", undef, $id) + || ThrowUserError("invalid_bug_id_non_existent", {'bug_id' => $id}); + + return if (defined $field && ($field eq "dependson" || $field eq "blocked")); + + return if $user->can_see_bug($id); + + # The user did not pass any of the authorization tests, which means they + # are not authorized to see the bug. Display an error and stop execution. + # The error the user sees depends on whether or not they are logged in + # (i.e. $user->id contains the user's positive integer ID). + if ($user->id) { + ThrowUserError("bug_access_denied", {'bug_id' => $id}); + } else { + ThrowUserError("bug_access_query", {'bug_id' => $id}); + } +} + # ValidateBugAlias: # Check that the bug alias is valid and not used by another bug. If # curr_id is specified, verify the alias is not used for any other diff --git a/CGI.pl b/CGI.pl index 78ef20fef0..539ef589b2 100644 --- a/CGI.pl +++ b/CGI.pl @@ -107,51 +107,6 @@ sub CheckFormFieldDefined ($$) { } } -sub ValidateBugID { - # Validates and verifies a bug ID, making sure the number is a - # positive integer, that it represents an existing bug in the - # database, and that the user is authorized to access that bug. - # We detaint the number here, too - - my ($id, $field) = @_; - - # Get rid of white-space around the ID. - $id = trim($id); - - # If the ID isn't a number, it might be an alias, so try to convert it. - my $alias = $id; - if (!detaint_natural($id)) { - $id = bug_alias_to_id($alias); - $id || ThrowUserError("invalid_bug_id_or_alias", - {'bug_id' => $alias, - 'field' => $field }); - } - - # Modify the calling code's original variable to contain the trimmed, - # converted-from-alias ID. - $_[0] = $id; - - # First check that the bug exists - SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $id"); - - FetchOneColumn() - || ThrowUserError("invalid_bug_id_non_existent", {'bug_id' => $id}); - - return if (defined $field && ($field eq "dependson" || $field eq "blocked")); - - return if Bugzilla->user->can_see_bug($id); - - # The user did not pass any of the authorization tests, which means they - # are not authorized to see the bug. Display an error and stop execution. - # The error the user sees depends on whether or not they are logged in - # (i.e. $::userid contains the user's positive integer ID). - if ($::userid) { - ThrowUserError("bug_access_denied", {'bug_id' => $id}); - } else { - ThrowUserError("bug_access_query", {'bug_id' => $id}); - } -} - sub CheckEmailSyntax { my ($addr) = (@_); my $match = Param('emailregexp'); diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 9591a284d8..8a6aad9250 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -30,6 +30,7 @@ use Bugzilla; use Bugzilla::Config qw(:DEFAULT $webdotdir); use Bugzilla::Util; use Bugzilla::BugMail; +use Bugzilla::Bug; require "CGI.pl"; diff --git a/showdependencytree.cgi b/showdependencytree.cgi index 76ef0ddeec..e473357d14 100755 --- a/showdependencytree.cgi +++ b/showdependencytree.cgi @@ -28,6 +28,7 @@ use strict; use lib qw(.); require "CGI.pl"; use Bugzilla::User; +use Bugzilla::Bug; # Use global template variables. use vars qw($template $vars); -- 2.47.2