Bug 754090: Bugzilla::FlagType::match() crashes when the group parameter is not a number

a=LpSolit

Bug 754090: Bugzilla::FlagType::match() crashes when the group parameter is not a number
89e86c93 · Frédéric Buclin · cb114a08 · 89e86c93 · 89e86c93
Commit 89e86c93 authored May 21, 2012 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 2 deletions

FlagType.pm Bugzilla/FlagType.pm +12 -2

editflagtypes.cgi editflagtypes.cgi +3 -0

No files found.
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -664,7 +664,10 @@ sub sqlify_criteria {
    }
    if ($criteria->{product_id}) {
        my $product_id = $criteria->{product_id};
-        
+        detaint_natural($product_id)
+          || ThrowCodeError('bad_arg', { argument => 'product_id',
+                                         function => 'Bugzilla::FlagType::sqlify_criteria' });
+
        # Add inclusions to the query, which simply involves joining the table
        # by flag type ID and target product/component.
        push(@$tables, "INNER JOIN flaginclusions AS i ON flagtypes.id = i.type_id");
@@ -681,6 +684,10 @@ sub sqlify_criteria {
        my $addl_join_clause = "";
        if ($criteria->{component_id}) {
            my $component_id = $criteria->{component_id};
+            detaint_natural($component_id)
+              || ThrowCodeError('bad_arg', { argument => 'component_id',
+                                             function => 'Bugzilla::FlagType::sqlify_criteria' });
+
            push(@criteria, "(i.component_id = $component_id OR i.component_id IS NULL)");
            $join_clause .= "AND (e.component_id = $component_id OR e.component_id IS NULL) ";
        }
@@ -694,7 +701,10 @@ sub sqlify_criteria {
    }
    if ($criteria->{group}) {
        my $gid = $criteria->{group};
-        detaint_natural($gid);
+        detaint_natural($gid)
+          || ThrowCodeError('bad_arg', { argument => 'group',
+                                         function => 'Bugzilla::FlagType::sqlify_criteria' });
+
        push(@criteria, "(flagtypes.grant_group_id = $gid " .
                        " OR flagtypes.request_group_id = $gid)");
    }

--- a/editflagtypes.cgi
+++ b/editflagtypes.cgi
@@ -141,6 +141,9 @@ if ($action eq 'list') {
    my $component_id = $component ? $component->id : 0;
    my $show_flag_counts = $cgi->param('show_flag_counts') ? 1 : 0;
    my $group_id = $cgi->param('group');
+    if ($group_id) {
+        detaint_natural($group_id) || ThrowUserError('invalid_group_ID');
+    }

    my $bug_flagtypes;
    my $attach_flagtypes;