Bug 160710 - Taint checking causes problem with rename function

r=joel, preed

Bug 160710 - Taint checking causes problem with rename function
9b22dcde · bbaetz%student.usyd.edu.au · ebdbe669 · 9b22dcde · 9b22dcde
Commit 9b22dcde authored Aug 13, 2002 by bbaetz%student.usyd.edu.au
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

prefs.html.tmpl template/en/default/account/prefs/prefs.html.tmpl +10 -1

userprefs.cgi userprefs.cgi +5 -0

No files found.
--- a/template/en/default/account/prefs/prefs.html.tmpl
+++ b/template/en/default/account/prefs/prefs.html.tmpl
@@ -100,7 +100,16 @@
 <form method="post" action="userprefs.cgi">
  <input type="hidden" name="tab" value="[% current_tab.name %]">

-  [% PROCESS "account/prefs/${current_tab.name}.html.tmpl" IF current_tab.name.defined %]
+  [%# See bug 160710 for why this is done this way %]
+  [% IF current_tab.name == "account" %]
+    [% PROCESS "account/prefs/account.html.tmpl" %]
+  [% ELSIF current_tab.name == "email" %]
+    [% PROCESS "account/prefs/email.html.tmpl" %]
+  [% ELSIF current_tab.name == "footer" %]
+    [% PROCESS "account/prefs/footer.html.tmpl" %]
+  [% ELSIF current_tab.name == "permissions" %]
+    [% PROCESS "account/prefs/permissions.html.tmpl" %]
+  [% END %]

  [% IF current_tab.saveable %]
    <input type="hidden" name="dosave" value="1">

--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -370,6 +370,9 @@ $vars->{'changes_saved'} = $::FORM{'dosave'};

 my $current_tab_name = $::FORM{'tab'} || "account";

+# The SWITCH below makes sure that this is valid
+trick_taint($current_tab_name);
+
 $vars->{'current_tab_name'} = $current_tab_name;

 # Do any saving, and then display the current tab.
@@ -393,6 +396,8 @@ SWITCH: for ($current_tab_name) {
        DoPermissions();
        last SWITCH;
    };
+    ThrowUserError("Unknown tab <code>" . html_quote($current_tab_name)
+                   . "</code>");
 }

 # Generate and return the UI (HTML page) from the appropriate template.