SECURITY FIX for bug 109679: It was possible to send arbitrary SQL to…

buglist.cgi

@@ -639,7 +639,14 @@ sub GenerateSQL {
         push(@funcnames, $key);
     }
 
+    # first we delete any sign of "Chart #-1" from the HTML form hash
+    # since we want to guarantee the user didn't hide something here
+    my @badcharts = grep /^(field|type|value)-1-/, (keys %F);
+    foreach my $field (@badcharts) {
+        delete $F{$field};
+    }
 
+    # now we take our special chart and stuff it into the form hash
     my $chart = -1;
     my $row = 0;
     foreach my $ref (@specialchart) {
@@ -738,6 +745,13 @@ sub GenerateSQL {
 #               out duplicates.
 # $suppstring = String which is pasted into query containing all table names
 
+    # get a list of field names to verify the user-submitted chart fields against
+    my %chartfields;
+    SendSQL("SELECT name FROM fielddefs");
+    while (MoreSQLData()) {
+        my ($name) = FetchSQLData();
+        $chartfields{$name} = 1;
+    }
 
     $row = 0;
     for ($chart=-1 ;
@@ -759,6 +773,16 @@ sub GenerateSQL {
                 if ($f eq "noop" || $t eq "noop" || $v eq "") {
                     next;
                 }
+                # chart -1 is generated by other code above, not from the user-
+                # submitted form, so we'll blindly accept any values in chart -1
+                if ((!$chartfields{$f}) && ($chart != -1)) {
+                    my $errstr = "Can't use " . html_quote($f) . " as a field name.  " .
+                        "If you think you're getting this in error, please copy the " .
+                        "entire URL out of the address bar at the top of your browser " .
+                        "window and email it to <109679\@bugzilla.org>";
+                    die "Internal error: $errstr" if $chart < 0;
+                    return Error($errstr);
+                }
                 $q = SqlQuote($v);
                 my $func;
                 $term = undef;