Closed Bug 783794 Opened 12 years ago Closed 12 years ago

Bugzilla::User->visible_bugs should validate input data

Categories

(Bugzilla :: Bugzilla-General, enhancement)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
4.3.2
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: LpSolit, Assigned: LpSolit)

Details

Attachments

(1 file)

patch, v1
848 bytes, patch
glob
: review+
Details | Diff | Splinter Review 
Bugzilla::User->visible_bugs() passes @check_ids directly into the SQL query without first validating that all items are integers. If a caller passes an alias (or any other string) by accident, then this could lead to SQL injection.

Rather than assuming that the caller does its job correctly and only passes integers, visible_bugs() should call detaint_natural() itself and call ThrowCodeError() if something goes wrong, as this should not happen.
Whiteboard: [Good Intro Bug]
(In reply to Frédéric Buclin from comment #0)
> Bugzilla::User->visible_bugs() passes @check_ids directly into the SQL query
> without first validating that all items are integers. If a caller passes an
> alias (or any other string) by accident, then this could lead to SQL
> injection.

Actually, this is not true. We correctly use placeholders for bug IDs. I misread

  ('?') x @check_ids

But it's still a good idea to validate data to prevent e.g. crashes on PostgreSQL which will complain heavily if a string is used instead of an integer.
Summary: Bugzilla::User->visible_bugs should validate input data to avoid SQL injection → Bugzilla::User->visible_bugs should validate input data
Whiteboard: [Good Intro Bug]
Attached patch patch, v1Splinter Review 
Assignee: general → LpSolit
Status: NEW → ASSIGNED

        Attachment #658138 -
        Flags: review?(glob)

    
    

    
  
Comment on attachment 658138 [details] [diff] [review]
patch, v1

r=glob by inspection.

        Attachment #658138 -
        Flags: review?(glob) → review+

    
  
Flags: approval4.4+
Flags: approval+

    
    

    
  
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/User.pm
Committed revision 8389.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified Bugzilla/User.pm
Committed revision 8387.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: