From 92b02f0a6625b731e95289fec32d7711e0d52f43 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Thu, 5 Aug 2010 00:14:19 +0200 Subject: [PATCH] Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug ' or 'attachment ' where is greater than the max allowed integer r=mkanat a=LpSolit --- Bugzilla/Constants.pm | 2 ++ Bugzilla/Object.pm | 5 +++++ Bugzilla/Template.pm | 18 ++++++------------ 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 88ff65d467..6617653a80 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -158,6 +158,7 @@ use File::Basename; MIN_SMALLINT MAX_SMALLINT + MAX_INT_32 MAX_LEN_QUERY_NAME MAX_CLASSIFICATION_SIZE @@ -461,6 +462,7 @@ use constant ROOT_USER => ON_WINDOWS ? 'Administrator' : 'root'; use constant MIN_SMALLINT => -32768; use constant MAX_SMALLINT => 32767; +use constant MAX_INT_32 => 2147483647; # The longest that a saved search name can be. use constant MAX_LEN_QUERY_NAME => 64; diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index 32262dd2a4..b1be766352 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -82,6 +82,9 @@ sub _init { || ThrowCodeError('param_must_be_numeric', {function => $class . '::_init'}); + # Too large integers make PostgreSQL crash. + return if $id > MAX_INT_32; + $object = $dbh->selectrow_hashref(qq{ SELECT $columns FROM $table WHERE $id_field = ?}, undef, $id); @@ -160,6 +163,8 @@ sub new_from_list { detaint_natural($id) || ThrowCodeError('param_must_be_numeric', {function => $class . '::new_from_list'}); + # Too large integers make PostgreSQL crash. + next if $id > MAX_INT_32; push(@detainted_ids, $id); } # We don't do $invocant->match because some classes have diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 87114c95d2..88d3700e9a 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -267,21 +267,15 @@ sub get_attachment_link { my ($attachid, $link_text) = @_; my $dbh = Bugzilla->dbh; - detaint_natural($attachid) - || die "get_attachment_link() called with non-integer attachment number"; + my $attachment = new Bugzilla::Attachment($attachid); - my ($bugid, $isobsolete, $desc, $is_patch) = - $dbh->selectrow_array('SELECT bug_id, isobsolete, description, ispatch - FROM attachments WHERE attach_id = ?', - undef, $attachid); - - if ($bugid) { + if ($attachment) { my $title = ""; my $className = ""; - if (Bugzilla->user->can_see_bug($bugid)) { - $title = $desc; + if (Bugzilla->user->can_see_bug($attachment->bug_id)) { + $title = $attachment->description; } - if ($isobsolete) { + if ($attachment->isobsolete) { $className = "bz_obsolete"; } # Prevent code injection in the title. @@ -293,7 +287,7 @@ sub get_attachment_link { # If the attachment is a patch, try to link to the diff rather # than the text, by default. my $patchlink = ""; - if ($is_patch and Bugzilla->feature('patch_viewer')) { + if ($attachment->ispatch and Bugzilla->feature('patch_viewer')) { $patchlink = '&action=diff'; } -- 2.47.2