Closed Bug 309904 Opened 19 years ago Closed 19 years ago

Bugzilla crashes when using an invalid user ID in editusers.cgi

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Version:
2.20
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Whiteboard: [blocker will fix]) 

editusers.cgi, line 63:

# Directly from common CGI params derived values
my $otherUserID = $otherUser->id();


Most actions below this line do a check of the form:

    $otherUser
        || ThrowCodeError('invalid_user_id', {'userid' => $cgi->param('userid')});

But if the user ID is invalid, Bugzilla already crashed due to $otherUser->id()
which is applied on an undefined user object, making these checks useless.


One trivial fix could be to write:

my $otherUserID = $otherUser ? $otherUser->id() : 0;

But maybe there is a better cleanup to do here?
Target Milestone: --- → Bugzilla 2.22
Will this be fixed by bug 314039?
(In reply to comment #1)
> Will this be fixed by bug 314039?

yes, because we call check_user() before setting $otherUserID = $otherUser->id
Depends on: 314039
Whiteboard: [blocker will fix]
Assignee: administration → LpSolit
Target Milestone: Bugzilla 2.22 → Bugzilla 2.20
Version: 2.21 → 2.20
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.