Closed Bug 107743 Opened 24 years ago Closed 24 years ago

post_bug.cgi does not properly validate parameters.

Categories

(Bugzilla :: Creating/Changing Bugs, defect, P1)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.15
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: CodeMachine, Assigned: bbaetz)

References

Details

Attachments

(1 file, 1 obsolete file)

patch, v2
1.85 KB, patch
gerv
: review+
justdave
: review+
Details | Diff | Splinter Review
post_bug.cgi needs some real loving. The initial status can be RESOLVED, the assignee can be blank, etc, etc. Using a GET URL you can insert all manner of broken bugs.
OK, we do seem to have checking, but you need to have strictvaluechecks on. This makes no sense to me. We should make sure this stuff works and enforce it always.
I agree 100%. I can't think of a single reason why anyone would not want strict value checks. Still, we should check in the newsgroups to find out if there is some legitimate reason we haven't thought of.
I suspect the reason is "terry couldn't be bothered testing/didn't have time to test these work, so he put them in as an option defaulted to off". Adding him so we can get an idea.
Terry verified in IRC today that this was indeed the reason. The "strict value checks" param can go away, and we can always use strict value checks.
Can't do this until bugs in those options are fixed - adding dependancy to bug 106993. Although I'm not sure what happens currently in that case...
Depends on: 106993
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.18
Blocks: 119715
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
StrictValueChecks is now on all the time - does that solve this problem? Gerv
Gerv, they are not on, that's why this bug has dependencies.
Taking. My patch will check that the status is either $::unconfirmedstate or 'NEW', and also fixes bug 63018 in the same patch Now that strict value checks are on by default, I think that thats all we need. Is there anything else which needs to be checked?
Assignee: myk → bbaetz
Keywords: patch, review
Attached patch patch (obsolete) — Splinter Review
Easy way to find out is to test.
Blocks: 63018
Comment on attachment 67820 [details] [diff] [review] patch I took a look at this, and everything appears in order, except that you can set a bug to UNCONFIRMED when this is not allowed. Perhaps the code from enter_bug.cgi should be reused.
Attachment #67820 - Flags: review-
Attached patch patch, v2Splinter Review
Attachment #67820 - Attachment is obsolete: true
Comment on attachment 69190 [details] [diff] [review] patch, v2 r=gerv. Gerv
Attachment #69190 - Flags: review+
Comment on attachment 69190 [details] [diff] [review] patch, v2 r= justdave looks good, applies cleanly, does what it says, and passes tests. :-)
Attachment #69190 - Flags: review+
Fixed
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Or maybe not.... not sure why the tests didn't catch it, and I have letsubmitterchoosepriority set on my install so I didn't notice this one. But this is definitely broken... (thanks to Daa for catching it) Param{'defaultpriority'} just doesn't work. Has to be either Param() or $::param{}. (notice parens vs braces)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Oops. Fixed.
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: