Bug 208647: Fixes taint error in add new products code.

Patch by jpyeron@pyerotechnics.com (Jason Pyeron) r= bbaetz, a= justdave

Bug 208647: Fixes taint error in add new products code.
68774da9 · justdave%syndicomm.com · ef9e98bd · 68774da9
Commit 68774da9 authored Oct 26, 2003 by justdave%syndicomm.com
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

editproducts.cgi editproducts.cgi +9 -2

No files found.
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -337,8 +337,15 @@ if ($action eq 'new') {
            SqlQuote($product) . "," .
            SqlQuote($description) . "," .
            SqlQuote($milestoneurl) . "," .
-            $disallownew . "," .
-            "$votesperuser, $maxvotesperbug, $votestoconfirm, " .
+            # had tainting issues under cygwin, IIS 5.0, perl -T %s %s
+            # see bug 208647. http://bugzilla.mozilla.org/show_bug.cgi?id=208647
+            # had to de-taint $disallownew, $votesperuser, $maxvotesperbug,
+            #  and $votestoconfirm w/ SqlQuote()
+            # - jpyeron@pyerotechnics.com
+            SqlQuote($disallownew) . "," .
+            SqlQuote($votesperuser) . "," .
+            SqlQuote($maxvotesperbug) . "," .
+            SqlQuote($votestoconfirm) . "," .
            SqlQuote($defaultmilestone) . ")");
    SendSQL("SELECT LAST_INSERT_ID()");
    my $product_id = FetchOneColumn();