Closed Bug 208647 Opened 21 years ago Closed 21 years ago

cygwin, IIS 5.0: Insecure dependency in parameter 1 of DBI::db=HASH(0x10611388)->prepare method call while running with -T switch at Bugzilla/DB.pm line 64.

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Platform:
x86
Windows 2000
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: jpyeron, Assigned: jpyeron)

Details

Attachments

(1 file, 2 obsolete files)

detaint vars for add new product sql
1.17 KB, patch
bbaetz
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)
Build Identifier: 

When adding a new product after submit I get 


Insecure dependency in parameter 1 of DBI::db=HASH(0x10611388)->prepare method 
call while running with -T switch at Bugzilla/DB.pm line 64. 

Reproducible: Always

Steps to Reproduce:
1. install on cygwin, use IIS 5.0 (win2kpro)
2. perl -T %s %s
3. go to products page, choose add, then submit




Version 2.17.4 

Bugzilla/DB.pm:64:
    $_current_sth = Bugzilla->dbh->prepare($str);
offending code from editproducts.cgi:


about line 329

    SendSQL("INSERT INTO products ( " .
            "name, description, milestoneurl, disallownew, votesperuser, " .
            "maxvotesperbug, votestoconfirm, defaultmilestone" .
            " ) VALUES ( " .
            SqlQuote($product) . "," .
            SqlQuote($description) . "," .
            SqlQuote($milestoneurl) . "," .
            $disallownew . "," .
            "$votesperuser, $maxvotesperbug, $votestoconfirm, " .
            SqlQuote($defaultmilestone) . ")");
Summary: cygwin, IIS 5.0: Insecure dependency in parameter 1 of DBI::db=HASH(0x10611388)->prepare method call while running with -T switch at Bugzilla/DB.pm line 64. → cygwin, IIS 5.0: Insecure dependency in parameter 1 of DBI::db=HASH(0x10611388)->prepare method call while running with -T switch at Bugzilla/DB.pm line 64.
fixed it by untainting:
 $disallownew $votesperuser $maxvotesperbug $votestoconfirm
with SqlQuote()
forgot to comment the code
Attachment #125145 - Attachment is obsolete: true

        Attachment #125147 -
        Attachment is obsolete: true

    
  
Component: Installation & Upgrading → Administration

    
  

        Attachment #125148 -
        Flags: review?(matty)

    
    

    
  
edit* does not run under taint mode. Yes, we know that this affects windows
(because windows can't run some scripts under -T and others not)

These shouldn't be SqlQuoted, but instead checked for numerics (via
detaint_natural).

    
    

    
  
Bug xxx has been added to the database
Content-type: text/html 

Software error:
Insecure dependency in exec while running with -T switch at /var/www/bugzilla-
2.16.3/post_bug.cgi line 303.


    
    

    
  
re commet 6: thanks, unfortunatly it will be some time before this problem on 
the stable branch is attacked. If you would like to check the development 
(tip), and this problem is still there, a patch will be created ASAP by our 
company.

    
    

    
  
Comment on attachment 125148 [details] [diff] [review]
detaint vars for add new product sql

I don't know where MattyT is these days...

        Attachment #125148 -
        Flags: review?(mattyt-bugzilla) → review?(bbaetz)

    
    

    
  
Comment on attachment 125148 [details] [diff] [review]
detaint vars for add new product sql

I'll be really surprised if tis makes editproducts taint-safe, but....

Its not strictly correct (we should detaint_natural) them first, but its edit*,
and not a security issue, so r=bbaetz

        Attachment #125148 -
        Flags: review?(bbaetz) → review+

    
    

    
  
Assigning to patch writer.
Assignee: zach → jpyeron
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: approval?

    
  
Status: NEW → ASSIGNED
Target Milestone: --- → Bugzilla 2.18

    
    

    
  
Checking in editproducts.cgi;
/cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v  <--  editproducts.cgi
new revision: 1.40; previous revision: 1.39
done

Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Flags: approval? → approval+
Resolution: --- → FIXED

    
    

    
  
for thos who have this problem in editgroups see Bug 223704 
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: