Closed Bug 517502 Opened 16 years ago Closed 16 years ago

Security patch in 3.0.9 breaks some WebService Bug.create parameters

Categories

(Bugzilla :: WebService, defect)

Product:
Bugzilla
Component:
WebService
Version:
3.0.9
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.0

People

(Reporter: mkanat, Assigned: mkanat)

References

Details

(Keywords: regression)

Attachments

(1 file)

v1
665 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review
We did: my $field_name = FIELD_MAP->{$field} || $field; # Prevent SQL Injection via key names. _check_valid_field($field); But we should have been passing $field_name to _check_valid_field, instead, because it validates against the *values* of FIELD_MAP, not the *keys*.
Flags: blocking3.0.10+
Depends on: 515191
Keywords: regression
Attached patch v1Splinter Review
Assignee: webservice → mkanat
Status: NEW → ASSIGNED
Attachment #401473 - Flags: review?(LpSolit)
Comment on attachment 401473 [details] [diff] [review] v1 Looks good and fixes the problem. r=LpSolit
Attachment #401473 - Flags: review?(LpSolit) → review+
Flags: approval3.0+
Checking in Bugzilla/WebService/Bug.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Bug.pm,v <-- Bug.pm new revision: 1.4.2.6; previous revision: 1.4.2.5 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: