From 12ec69f9666726f8751901cac9470ec8bb85eb9b Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Thu, 10 May 2001 09:53:21 +0000 Subject: [PATCH] Fix for bug 38855: showvotes.cgi needs to escape (untrusted) url params Patch by Myke Melez r= jake@acutex.net --- CGI.pl | 14 ++++++++++++++ showvotes.cgi | 43 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/CGI.pl b/CGI.pl index 29d8f68ea9..587ecc0747 100644 --- a/CGI.pl +++ b/CGI.pl @@ -963,6 +963,20 @@ sub PutFooter { } +sub DisplayError { + my ($message, $title) = (@_); + $title ||= "Error"; + + print "Content-type: text/html\n\n"; + PutHeader($title); + + print PerformSubsts( Param("errorhtml") , {errormsg => $message} ); + + PutFooter(); + + return 1; +} + sub PuntTryAgain ($) { my ($str) = (@_); print PerformSubsts(Param("errorhtml"), diff --git a/showvotes.cgi b/showvotes.cgi index 8e7dc0d4d8..5751567864 100755 --- a/showvotes.cgi +++ b/showvotes.cgi @@ -26,10 +26,49 @@ use strict; require "CGI.pl"; +ConnectToDatabase(); + +################################################################################ +# START Form Data Validation +################################################################################ + +# For security and correctness, validate the value of the "voteon" form variable. +# Valid values are those containing a number that is the ID of an existing bug. +if (defined $::FORM{'voteon'}) { + $::FORM{'voteon'} =~ /^(\d+)$/; + $::FORM{'voteon'} = $1 || 0; + SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'voteon'}"); + FetchSQLData() + || DisplayError("You entered an invalid bug number to vote on.") && exit; +} + +# For security and correctness, validate the value of the "bug_id" form variable. +# Valid values are those containing a number that is the ID of an existing bug. +if (defined $::FORM{'bug_id'}) { + $::FORM{'bug_id'} =~ /^(\d+)$/; + $::FORM{'bug_id'} = $1 || 0; + SendSQL("SELECT bug_id FROM bugs WHERE bug_id = $::FORM{'bug_id'}"); + FetchSQLData() + || DisplayError("You entered an invalid bug number.") && exit; +} + +# For security and correctness, validate the value of the "userid" form variable. +# Valid values are those containing a number that is the ID of an existing user. +if (defined $::FORM{'user'}) { + $::FORM{'user'} =~ /^(\d+)$/; + $::FORM{'user'} = $1 || 0; + SendSQL("SELECT userid FROM profiles WHERE userid = $::FORM{'user'}"); + FetchSQLData() + || DisplayError("You specified an invalid user number.") && exit; +} + +################################################################################ +# END Form Data Validation +################################################################################ + if (defined $::FORM{'voteon'} || (!defined $::FORM{'bug_id'} && !defined $::FORM{'user'})) { confirm_login(); - ConnectToDatabase(); $::FORM{'user'} = DBNameToIdAndCheck($::COOKIE{'Bugzilla_login'}); } @@ -39,7 +78,6 @@ if (defined $::FORM{'bug_id'}) { my $id = $::FORM{'bug_id'}; my $linkedid = qq{$id}; PutHeader("Show votes", "Show votes", "Bug $linkedid"); - ConnectToDatabase(); SendSQL("select profiles.login_name, votes.who, votes.count from votes, profiles where votes.bug_id = " . SqlQuote($id) . " and profiles.userid = votes.who"); print "\n"; print "\n"; @@ -52,7 +90,6 @@ if (defined $::FORM{'bug_id'}) { print "
WhoNumber of votes
"; print "

Total votes: $sum

\n"; } elsif (defined $::FORM{'user'}) { - ConnectToDatabase(); quietly_check_login(); GetVersionTable(); my $who = $::FORM{'user'}; -- 2.47.2