Closed Bug 134562 Opened 23 years ago Closed 22 years ago

taint error in buglist.cgi

Categories

(Bugzilla :: Query/Bug List, defect, P2)

2.15
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: jayvdb, Assigned: bbaetz)

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

Whilst generating a buglist for a query containing 'votes', Bugzilla returns a
software error "Attempted to send tainted string 'SELECT DISTINCT ...' to the
database at globals.pl line 235.

The taint error is introduced at buglist.cgi line 1193.
Attached patch patch (obsolete) — Splinter Review
copies the 'votes' validation from GenerateSQL.
Keywords: patch, regression
Thats the wrong place, (you're doing it as a side effect there), but I can't
reproduce this. What is the query you are running?
I am able to reproduce this on any query that contains votes=1.
I am using perl v5.6.0 (from SuSE perl-5.6.0-81) if that is any help.
OK, this works in 5.6.1. From investigation on IRC, whats happening is that perl
5.6.0 is considering the entire statement to be tainted if any part of the
statement is tatined.

The fix is just to use the block form of if.

The patch I'll attach also fixes a minor buglet I noticed, where if you enter
only whitespace in the votes box, the trim() in that code ignores teh field, but
the votes column is still pushed anyway.

Taking, for 2.16
Assignee: endico → bbaetz
Severity: normal → critical
Keywords: review
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.16
Attached patch v1Splinter Review
Attachment #76971 - Attachment is obsolete: true
Comment on attachment 77205 [details] [diff] [review]
v1

r= justdave
Attachment #77205 - Flags: review+
Comment on attachment 77205 [details] [diff] [review]
v1

r=gerv.

Gerv
Attachment #77205 - Flags: review+
Checked in:

Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.164; previous revision: 1.163
done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: