Skip to content

bugzilla
bugzilla
Commit 89e86c93 authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 754090: Bugzilla::FlagType::match() crashes when the group parameter is not a number

a=LpSolit
parent cb114a08
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 2 deletions
Bugzilla/FlagType.pm
View file @ 89e86c93
...@@ -664,7 +664,10 @@ sub sqlify_criteria { ...@@ -664,7 +664,10 @@ sub sqlify_criteria {
} }
if ($criteria->{product_id}) { if ($criteria->{product_id}) {
my $product_id = $criteria->{product_id}; my $product_id = $criteria->{product_id};
detaint_natural($product_id)
|| ThrowCodeError('bad_arg', { argument => 'product_id',
function => 'Bugzilla::FlagType::sqlify_criteria' });
# Add inclusions to the query, which simply involves joining the table # Add inclusions to the query, which simply involves joining the table
# by flag type ID and target product/component. # by flag type ID and target product/component.
push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id"); push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id");
...@@ -681,6 +684,10 @@ sub sqlify_criteria { ...@@ -681,6 +684,10 @@ sub sqlify_criteria {
my $addl_join_clause = ""; my $addl_join_clause = "";
if ($criteria->{component_id}) { if ($criteria->{component_id}) {
my $component_id = $criteria->{component_id}; my $component_id = $criteria->{component_id};
detaint_natural($component_id)
|| ThrowCodeError('bad_arg', { argument => 'component_id',
function => 'Bugzilla::FlagType::sqlify_criteria' });
push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)"); push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)");
$join_clause .= "AND (e.component_id = $component_id OR e.component_id IS NULL) "; $join_clause .= "AND (e.component_id = $component_id OR e.component_id IS NULL) ";
} }
...@@ -694,7 +701,10 @@ sub sqlify_criteria { ...@@ -694,7 +701,10 @@ sub sqlify_criteria {
} }
if ($criteria->{group}) { if ($criteria->{group}) {
my $gid = $criteria->{group}; my $gid = $criteria->{group};
detaint_natural($gid); detaint_natural($gid)
|| ThrowCodeError('bad_arg', { argument => 'group',
function => 'Bugzilla::FlagType::sqlify_criteria' });
push(@criteria, "(flagtypes.grant_group_id = $gid " . push(@criteria, "(flagtypes.grant_group_id = $gid " .
" OR flagtypes.request_group_id = $gid)"); " OR flagtypes.request_group_id = $gid)");
} }
......
editflagtypes.cgi
View file @ 89e86c93
...@@ -141,6 +141,9 @@ if ($action eq 'list') { ...@@ -141,6 +141,9 @@ if ($action eq 'list') {
my $component_id = $component ? $component->id : 0; my $component_id = $component ? $component->id : 0;
my $show_flag_counts = $cgi->param('show_flag_counts') ? 1 : 0; my $show_flag_counts = $cgi->param('show_flag_counts') ? 1 : 0;
my $group_id = $cgi->param('group'); my $group_id = $cgi->param('group');
if ($group_id) {
detaint_natural($group_id) || ThrowUserError('invalid_group_ID');
}
my $bug_flagtypes; my $bug_flagtypes;
my $attach_flagtypes; my $attach_flagtypes;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment