Closed Bug 134562 Opened 22 years ago Closed 22 years ago

taint error in buglist.cgi

Categories

(Bugzilla :: Query/Bug List, defect, P2)

Product:
Bugzilla
Component:
Query/Bug List
Version:
2.15
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: jayvdb, Assigned: bbaetz)

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

v1
946 bytes, patch
justdave
: review+
gerv
: review+
Details | Diff | Splinter Review 
Whilst generating a buglist for a query containing 'votes', Bugzilla returns a
software error "Attempted to send tainted string 'SELECT DISTINCT ...' to the
database at globals.pl line 235.

The taint error is introduced at buglist.cgi line 1193.
Attached patch patch (obsolete) — Splinter Review 
copies the 'votes' validation from GenerateSQL.
Keywords: patch, regression
Thats the wrong place, (you're doing it as a side effect there), but I can't
reproduce this. What is the query you are running?
I am able to reproduce this on any query that contains votes=1.
I am using perl v5.6.0 (from SuSE perl-5.6.0-81) if that is any help.
OK, this works in 5.6.1. From investigation on IRC, whats happening is that perl
5.6.0 is considering the entire statement to be tainted if any part of the
statement is tatined.

The fix is just to use the block form of if.

The patch I'll attach also fixes a minor buglet I noticed, where if you enter
only whitespace in the votes box, the trim() in that code ignores teh field, but
the votes column is still pushed anyway.

Taking, for 2.16
Assignee: endico → bbaetz
Severity: normal → critical
Keywords: review
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.16
Attached patch v1Splinter Review 

        Attachment #76971 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 77205 [details] [diff] [review]
v1

r= justdave

        Attachment #77205 -
        Flags: review+

    
    

    
  
Comment on attachment 77205 [details] [diff] [review]
v1

r=gerv.

Gerv

        Attachment #77205 -
        Flags: review+

    
    

    
  
Checked in:

Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.164; previous revision: 1.163
done

Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: