Closed
Bug 300831
Opened 19 years ago
Closed 19 years ago
editwhines twice uses $1 without checking for regex match
Categories
(Bugzilla :: Whining, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.20
People
(Reporter: karl, Assigned: karl)
References
Details
Attachments
(1 file, 2 obsolete files)
2.26 KB,
patch
|
bugreport
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) In editwhines.cgi, around line 240 and immediately after, two regexes were used. After each regex the variable $1 is used, but nothing is done to be sure that the regexes match before using $1. Reproducible: Didn't try Steps to Reproduce: See bug 297940 for more information.
Assignee | ||
Updated•19 years ago
|
Flags: blocking2.20?
Assignee | ||
Comment 1•19 years ago
|
||
For MAILTO_USER, throw an error if the regex doesn't match. For MAILTO_GROUP, also throw an error if the regex doesn't match. Requesting review from joel as suggested by LpSolit.
Attachment #189366 -
Flags: review?(bugreport)
Comment 2•19 years ago
|
||
Not blocking unless you can prove it actually causes a bug. (Although I agree it's good cleanup.)
Flags: blocking2.20? → blocking2.20-
Assignee | ||
Updated•19 years ago
|
Whiteboard: [patch awaiting review]
Karl, As I understand, original code were replasing original $mailto with results of the match. While your version is passing it as is if matched. So, I afraid there should be also something like: if ($mailto =~ /^[0-9a-z_\-\.]+$/i) { $mailto = $1; # $1 is definitely not undef here due to above check ... Or, resembling original code, $mailto =~ /.../; $mailto = $1 || ''; if ($mailto ne '') { ... Am I right?
Comment 4•19 years ago
|
||
Blocking a blocker (bug 297940), so this should be a blocker. Alternatively, make bug 297940 not a blocker any more :)
Assignee: erik → karl
Flags: blocking2.20- → blocking2.20?
Assignee | ||
Comment 5•19 years ago
|
||
(In reply to comment #3) > Karl, As I understand, original code were replasing original $mailto with > results of the match. While your version is passing it as is if matched. Well, if the match ever fails an error is thrown and execution stops, which is fine. Unfortunately, as you note, a good match doesn't erase the taint on $mailto. I'll update the patches appropriately.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 6•19 years ago
|
||
Modification of attachment 189366 [details] [diff] [review] with respect to comment 5. In the cases where the match passes, but the tainted $mailto is still used, replace $mailto with $1. Moving up review request.
Attachment #189366 -
Attachment is obsolete: true
Attachment #190461 -
Flags: review?(bugreport)
Assignee | ||
Updated•19 years ago
|
Attachment #190461 -
Attachment is obsolete: true
Attachment #190461 -
Flags: review?(bugreport)
Assignee | ||
Comment 7•19 years ago
|
||
Comment on attachment 189366 [details] [diff] [review] Patch v1 Removing review requests from obsolete attachments.
Attachment #189366 -
Flags: review?(bugreport)
Assignee | ||
Comment 8•19 years ago
|
||
Attachment #190463 -
Flags: review?(bugreport)
Comment 9•19 years ago
|
||
We made bug 297940 no longer a 2.20 blocker, so this is no longer a blocker either.
Flags: blocking2.20? → blocking2.20-
Updated•19 years ago
|
Attachment #190463 -
Flags: review?(bugreport) → review+
Assignee | ||
Updated•19 years ago
|
Whiteboard: [patch awaiting review]
Target Milestone: --- → Bugzilla 2.20
Assignee | ||
Updated•19 years ago
|
Flags: approval?
Flags: approval2.20?
Updated•19 years ago
|
Flags: approval?
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
Comment 10•19 years ago
|
||
tip: Checking in editwhines.cgi; /cvsroot/mozilla/webtools/bugzilla/editwhines.cgi,v <-- editwhines.cgi new revision: 1.10; previous revision: 1.9 done 2.20rc2: Checking in editwhines.cgi; /cvsroot/mozilla/webtools/bugzilla/editwhines.cgi,v <-- editwhines.cgi new revision: 1.8.2.1; previous revision: 1.8 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•