"new Bugzilla::User($uid)" allows you to pass invalid $uid

RESOLVED FIXED in Bugzilla 2.20

Status

()

Bugzilla
Bugzilla-General
RESOLVED FIXED
13 years ago
13 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.20
Bugzilla 2.20
Bug Flags:
approval +
approval2.20 +

Details

Attachments

(1 attachment, 1 obsolete attachment)

1.34 KB, patch
Max Kanat-Alexander
: review+
Details | Diff | Splinter Review
(Assignee)

Description

13 years ago
new() in User.pm doesn't make sure that its parameter is a valid integer. This allows me to edit a user with ID = "1k"! Well, PostgreSQL complains, but MySQL is happy with that:

mysql> select bug_id from bugs where bug_id="1k";
+--------+
| bug_id |
+--------+
|      1 |
+--------+
(Assignee)

Comment 1

13 years ago
Created attachment 204989 [details] [diff] [review]
patch, v1
Assignee: general → LpSolit
Status: NEW → ASSIGNED
Attachment #204989 - Flags: review?(bugreport)
Does this fix bug 319090, too?
(Assignee)

Updated

13 years ago
Blocks: 319090
(Assignee)

Updated

13 years ago
Attachment #204989 - Flags: review?(mkanat)

Comment 3

13 years ago
Comment on attachment 204989 [details] [diff] [review]
patch, v1

I like the codce, it looks fine. But I preferred the old error message, because it gave more information.
Attachment #204989 - Flags: review?(mkanat) → review-
(Assignee)

Comment 4

13 years ago
Created attachment 205554 [details] [diff] [review]
patch, v2

I'm now leaving the actual error message as is.
Attachment #204989 - Attachment is obsolete: true
Attachment #205554 - Flags: review?(mkanat)
Attachment #204989 - Flags: review?(bugreport)
(Assignee)

Comment 5

13 years ago
FYI, an easy way to test my patch is to go to editusers.cgi?action=edit&userid=ddd.
(Assignee)

Updated

13 years ago
Attachment #205554 - Flags: review?(wurblzap)

Comment 6

13 years ago
Comment on attachment 205554 [details] [diff] [review]
patch, v2

Yes, looks fine to me.
Attachment #205554 - Flags: review?(mkanat) → review+
(Assignee)

Updated

13 years ago
Flags: approval?
Flags: approval2.20?
(Assignee)

Updated

13 years ago
Attachment #205554 - Flags: review?(wurblzap)
Flags: approval?
Flags: approval2.20?
Flags: approval2.20+
Flags: approval+
(Assignee)

Comment 7

13 years ago
tip:

Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v  <--  User.pm
new revision: 1.98; previous revision: 1.97
done

2.20:

Checking in Bugzilla/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/User.pm,v  <--  User.pm
new revision: 1.61.2.14; previous revision: 1.61.2.13
done
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.