Closed Bug 155700 Opened 21 years ago Closed 21 years ago

taint error in SendSQL when called from ValidateBugID

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: myk, Assigned: myk)

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

patch v2: bbaetz' way
687 bytes, patch
bbaetz
: review+
bbaetz
: review+
Details | Diff | Splinter Review 
ValidateBugID makes sure the ID is valid in a way that doesn't detaint it. 
ValidateBugID needs to trick_taint/detaint_natural the ID.
Attached patch patch v1: fixes problem (obsolete) — Splinter Review 

    
    

    
  
It's a blocker.  Bugzilla doesn't work now.  This is a regression from bug 99203.
Assignee: justdave → myk
Severity: normal → blocker
Keywords: patch, 
          
            regression, 
          
            review
Target Milestone: --- → Bugzilla 2.18

    
    

    
  
Comment on attachment 90168 [details] [diff] [review]
patch v1: fixes problem

Actually, what you should be doing is doing |my $alias = $id|, then instead of
the regexp against [1-9][0-9]* do if !detaint_natural($id) && ... and have the
code in the if use $alias instead of $id.

You need the copy because detaint_natural modifies its arguments.

        Attachment #90168 -
        Flags: review-

    
    

    
  


  
The bbaetz way.  Presumably the $id BugIDToAlias returns is non-tainted by
virtue of having been returned from the database.

        Attachment #90168 -
        Attachment is obsolete: true

    
    

    
  
I'll probably be away from the computer Thursday (July 4).  Feel free to check
this in on my behalf if it gets review and I'm not around to check it in.

    
    

    
  
Comment on attachment 90187 [details] [diff] [review]
patch v2: bbaetz' way

This looks ok. Unfortunately, I can't test, cause it turns out that $::FORM is
_NOT_ tainted under perl5.6.1. This is probably why I/myk didn't pick this up
earlier)

See http://bugs.perl.org/perlbug.cgi?req=bug_id&bug_id=20020704.001 for my
bugreport on this. 

I have a workarround, which I will be submitting for 2.16 unless the perl bug
people have a better solution.

r=bbaetz, but only 1x because of that

        Attachment #90187 -
        Flags: review+

    
    

    
  
bbaetz- What does this have to do with 2.16?  This is a regression from the fix
for bug 99203 (bug aliases) , which only went into 2.18.  By "only one review",
do you mean to say that I can check it in (since 2.18 patches require only a
single review by default) or that a second is required?

    
    

    
  
It means that I can't actually test, so you should get review from someone with
perl 5.6.0 (or 5.005) who can.

My 2.16 comment was referring to bug 155793, which is why I can't test this

    
    

    
  
Comment on attachment 90187 [details] [diff] [review]
patch v2: bbaetz' way

Actually, I now have a fix for the other bug, so I can test this.

r=bbaetz x2

        Attachment #90187 -
        Flags: review+

    
    

    
  
Checking in CGI.pl;
/cvsroot/mozilla/webtools/bugzilla/CGI.pl,v  <--  CGI.pl
new revision: 1.161; previous revision: 1.160
done

Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.