User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705) Build Identifier: When adding a new product after submit I get Insecure dependency in parameter 1 of DBI::db=HASH(0x10611388)->prepare method call while running with -T switch at Bugzilla/DB.pm line 64. Reproducible: Always Steps to Reproduce: 1. install on cygwin, use IIS 5.0 (win2kpro) 2. perl -T %s %s 3. go to products page, choose add, then submit Version 2.17.4 Bugzilla/DB.pm:64: $_current_sth = Bugzilla->dbh->prepare($str);
offending code from editproducts.cgi: about line 329 SendSQL("INSERT INTO products ( " . "name, description, milestoneurl, disallownew, votesperuser, " . "maxvotesperbug, votestoconfirm, defaultmilestone" . " ) VALUES ( " . SqlQuote($product) . "," . SqlQuote($description) . "," . SqlQuote($milestoneurl) . "," . $disallownew . "," . "$votesperuser, $maxvotesperbug, $votestoconfirm, " . SqlQuote($defaultmilestone) . ")");
Created attachment 125145 [details] [diff] [review] detaint vars for add new product sql fixed it by untainting: $disallownew $votesperuser $maxvotesperbug $votestoconfirm with SqlQuote()
Created attachment 125147 [details] [diff] [review] detaint vars for add new product sql forgot to comment the code
Created attachment 125148 [details] [diff] [review] detaint vars for add new product sql
edit* does not run under taint mode. Yes, we know that this affects windows (because windows can't run some scripts under -T and others not) These shouldn't be SqlQuoted, but instead checked for numerics (via detaint_natural).
Bug xxx has been added to the database Content-type: text/html Software error: Insecure dependency in exec while running with -T switch at /var/www/bugzilla- 2.16.3/post_bug.cgi line 303.
re commet 6: thanks, unfortunatly it will be some time before this problem on the stable branch is attacked. If you would like to check the development (tip), and this problem is still there, a patch will be created ASAP by our company.
Comment on attachment 125148 [details] [diff] [review] detaint vars for add new product sql I don't know where MattyT is these days...
Comment on attachment 125148 [details] [diff] [review] detaint vars for add new product sql I'll be really surprised if tis makes editproducts taint-safe, but.... Its not strictly correct (we should detaint_natural) them first, but its edit*, and not a security issue, so r=bbaetz
Assigning to patch writer.
Checking in editproducts.cgi; /cvsroot/mozilla/webtools/bugzilla/editproducts.cgi,v <-- editproducts.cgi new revision: 1.40; previous revision: 1.39 done
for thos who have this problem in editgroups see Bug 223704