Skip to content

bugzilla
bugzilla
Commit fc5cdf3a authored by Dylan Hardison's avatar Dylan Hardison
1 Browse files
Options

Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error

r=dkl,a=dkl
parent 3e0ed9c3
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 1 deletion
Bugzilla/WebService/Constants.pm
View file @ fc5cdf3a
...@@ -51,6 +51,7 @@ use constant WS_ERROR_CODE => { ...@@ -51,6 +51,7 @@ use constant WS_ERROR_CODE => {
number_too_large => 54, number_too_large => 54,
number_too_small => 55, number_too_small => 55,
illegal_date => 56, illegal_date => 56,
param_integer_array_required => 58,
# Bug errors usually occupy the 100-200 range. # Bug errors usually occupy the 100-200 range.
improper_bug_id_field_value => 100, improper_bug_id_field_value => 100,
bug_id_does_not_exist => 101, bug_id_does_not_exist => 101,
......
Bugzilla/WebService/Util.pm
View file @ fc5cdf3a
...@@ -9,6 +9,9 @@ package Bugzilla::WebService::Util; ...@@ -9,6 +9,9 @@ package Bugzilla::WebService::Util;
use strict; use strict;
use base qw(Exporter); use base qw(Exporter);
use List::MoreUtils qw(all any);
use Bugzilla::Error;
# We have to "require", not "use" this, because otherwise it tries to # We have to "require", not "use" this, because otherwise it tries to
# use features of Test::More during import(). # use features of Test::More during import().
require Test::Taint; require Test::Taint;
...@@ -103,7 +106,8 @@ sub validate { ...@@ -103,7 +106,8 @@ sub validate {
# sent any parameters at all, and we're getting @keys where # sent any parameters at all, and we're getting @keys where
# $params should be. # $params should be.
return ($self, undef) if (defined $params and !ref $params); return ($self, undef) if (defined $params and !ref $params);
my @id_params = qw( ids comment_ids );
# If @keys is not empty then we convert any named # If @keys is not empty then we convert any named
# parameters that have scalar values to arrayrefs # parameters that have scalar values to arrayrefs
# that match. # that match.
...@@ -112,6 +116,12 @@ sub validate { ...@@ -112,6 +116,12 @@ sub validate {
$params->{$key} = ref $params->{$key} $params->{$key} = ref $params->{$key}
? $params->{$key} ? $params->{$key}
: [ $params->{$key} ]; : [ $params->{$key} ];
if (any { $key eq $_ } @id_params) {
my $ids = $params->{$key};
ThrowCodeError('param_integer_array_required', { param => $key })
unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
}
} }
} }
......
template/en/default/global/code-error.html.tmpl
View file @ fc5cdf3a
...@@ -290,6 +290,9 @@ ...@@ -290,6 +290,9 @@
a <code>[% param FILTER html %]</code> argument, and that a <code>[% param FILTER html %]</code> argument, and that
argument was not set. argument was not set.
[% ELSIF error == "param_integer_array_required" %]
The <code>[% param FILTER html %]</code> parameter must be an array of integers.
[% ELSIF error == "params_required" %] [% ELSIF error == "params_required" %]
[% title = "Missing Parameter" %] [% title = "Missing Parameter" %]
The function <code>[% function FILTER html %]</code> requires The function <code>[% function FILTER html %]</code> requires
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment