Skip to content

bugzilla
bugzilla
Commit 419a4d9f authored by kiko%async.com.br's avatar kiko%async.com.br
Browse files
Options

Fix for bug 251911: Silly ThrowUserError bits in attachment.cgi. Fixing

variables missing in some errors raised, and doing bits of $::FORM cleanup while we're at it. r=joel, a=justdave.
parent 4c5c5b73
Hide whitespace changes
Inline Side-by-side
Showing with 30 additions and 24 deletions
attachment.cgi
View file @ 419a4d9f
...@@ -166,58 +166,64 @@ sub validateID ...@@ -166,58 +166,64 @@ sub validateID
{ {
my $param = @_ ? $_[0] : 'id'; my $param = @_ ? $_[0] : 'id';
# Only do this check for no 'id' parameter if we are trying to # If we're not doing interdiffs, check if id wasn't specified and
# validate the 'id' parameter # prompt them with a page that allows them to choose an attachment.
# Happens when calling plain attachment.cgi from the urlbar directly
if ($param eq 'id' && !$cgi->param('id')) { if ($param eq 'id' && !$cgi->param('id')) {
print Bugzilla->cgi->header(); print Bugzilla->cgi->header();
$template->process("attachment/choose.html.tmpl", $vars) || $template->process("attachment/choose.html.tmpl", $vars) ||
ThrowTemplateError($template->error()); ThrowTemplateError($template->error());
exit; exit;
} }
# Validate the value of the "id" form field, which must contain an
# integer that is the ID of an existing attachment.
$vars->{'attach_id'} = $::FORM{$param};
detaint_natural($::FORM{$param}) my $attach_id = $cgi->param($param);
|| ThrowUserError("invalid_attach_id");
# Validate the specified attachment id. detaint kills $attach_id if
# non-natural, so use the original value from $cgi in our exception
# message here.
detaint_natural($attach_id)
|| ThrowUserError("invalid_attach_id", { attach_id => $cgi->param($param) });
# Make sure the attachment exists in the database. # Make sure the attachment exists in the database.
SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $::FORM{$param}"); SendSQL("SELECT bug_id, isprivate FROM attachments WHERE attach_id = $attach_id");
MoreSQLData() MoreSQLData()
|| ThrowUserError("invalid_attach_id"); || ThrowUserError("invalid_attach_id", { attach_id => $attach_id });
# Make sure the user is authorized to access this attachment's bug. # Make sure the user is authorized to access this attachment's bug.
($bugid, my $isprivate) = FetchSQLData(); ($bugid, my $isprivate) = FetchSQLData();
ValidateBugID($bugid); ValidateBugID($bugid);
if (($isprivate > 0 ) && Param("insidergroup") && !(UserInGroup(Param("insidergroup")))) { if (($isprivate > 0 ) && Param("insidergroup") &&
!(UserInGroup(Param("insidergroup")))) {
ThrowUserError("attachment_access_denied"); ThrowUserError("attachment_access_denied");
} }
# XXX shim code, kill $::FORM
$::FORM{$param} = $attach_id;
} }
sub validateFormat sub validateFormat
{ {
$::FORM{'format'} ||= $_[0]; # receives a list of legal formats; first item is a default
if (! grep { $_ eq $::FORM{'format'} } @_) my $format = $cgi->param('format') || $_[0];
if ( lsearch(\@_, $format) == -1)
{ {
$vars->{'format'} = $::FORM{'format'}; ThrowUserError("invalid_format", { format => $format, formats => \@_ });
$vars->{'formats'} = \@_;
ThrowUserError("invalid_format");
} }
# XXX shim code, kill $::FORM
$::FORM{'format'} = $format;
} }
sub validateContext sub validateContext
{ {
$::FORM{'context'} ||= "patch"; my $context = $cgi->param('context') || "patch";
if ($::FORM{'context'} ne "file" && $::FORM{'context'} ne "patch") { if ($context ne "file" && $context ne "patch") {
$vars->{'context'} = $::FORM{'context'}; detaint_natural($context)
detaint_natural($::FORM{'context'}) || ThrowUserError("invalid_context", { context => $cgi->param('context') });
|| ThrowUserError("invalid_context");
delete $vars->{'context'};
} }
# XXX shim code, kill $::FORM
$::FORM{'context'} = $context;
} }
sub validateCanEdit sub validateCanEdit
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment