Closed
Bug 583645
Opened 15 years ago
Closed 15 years ago
[PostgreSQL] Many searches on Pg fail with a taint error
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.2
People
(Reporter: mkanat, Assigned: mkanat)
Details
Attachments
(1 file)
|
690 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
Right now on trunk, quicksearches and most other searches fail with a taint error.
The problem is that during the refactoring, I removed most of the extra "trick_taint" statements after $dbh->quote. Although on DBD::mysql this detaints stuff, on DBD::Pg it does not.
We have two options, really, for cross-database consistency in this area. They both involve overriding "quote" in Bugzilla::DB:
1) Check if the input is tainted, and re-taint any output if the input was tainted, no matter what.
2) Always detaint the output from "quote", no matter what.
I prefer #2--it's what DBD::mysql is doing now, and it means that we don't need a lot of extra "trick_taint" statements throughout the code after calling $dbh->quote.
|
Assignee | |
Comment 1•15 years ago
|
||
Here's solution #2.
Assignee: query-and-buglist → mkanat
Status: NEW → ASSIGNED
Attachment #461965 -
Flags: review?(LpSolit)
|
||
Comment 2•15 years ago
|
||
Comment on attachment 461965 [details] [diff] [review]
v1 (always detaint)
I think this is safe. r=LpSolit
Attachment #461965 -
Flags: review?(LpSolit) → review+
|
|
||
Updated•15 years ago
|
Flags: approval+
|
|
Assignee | |
Comment 3•15 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/DB.pm
Committed revision 7413.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•