Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
bugzilla
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Ivan Ivlev
bugzilla
Commits
f3f3e005
Commit
f3f3e005
authored
May 10, 2001
by
justdave%syndicomm.com
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix for bug 38854: reports.cgi needs to escape (untrusted) url params
Patch by Myk Melez <myk@mozilla.org> r= jake@acutex.net
parent
12ec69f9
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
44 additions
and
60 deletions
+44
-60
reports.cgi
reports.cgi
+44
-60
No files found.
reports.cgi
View file @
f3f3e005
...
@@ -35,6 +35,8 @@
...
@@ -35,6 +35,8 @@
# daily stats file, so now works independently of collectstats.pl
# daily stats file, so now works independently of collectstats.pl
# version
# version
# Added image caching by date and datasets
# Added image caching by date and datasets
# Myk Melez <myk@mozilla.org):
# Implemented form field validation and reorganized code.
use
diagnostics
;
use
diagnostics
;
use
strict
;
use
strict
;
...
@@ -58,7 +60,6 @@ my %bugsperperson;
...
@@ -58,7 +60,6 @@ my %bugsperperson;
# while this looks odd/redundant, it allows us to name
# while this looks odd/redundant, it allows us to name
# functions differently than the value passed in
# functions differently than the value passed in
my
%
reports
=
my
%
reports
=
(
(
"most_doomed"
=>
\&
most_doomed
,
"most_doomed"
=>
\&
most_doomed
,
...
@@ -72,19 +73,6 @@ my %reports =
...
@@ -72,19 +73,6 @@ my %reports =
ConnectToDatabase
(
1
);
ConnectToDatabase
(
1
);
quietly_check_login
();
quietly_check_login
();
print
"Content-type: text/html\n"
;
# Changing attachment to inline to resolve 46897 - zach@zachlipton.com
print
"Content-disposition: inline; filename=bugzilla_report.html\n\n"
;
# If we're here for the first time, give a banner. Else respect the banner flag.
if
(
(
!
defined
$FORM
{
'product'
})
||
(
$FORM
{
'banner'
})
)
{
PutHeader
(
"Bug Reports"
)
}
else
{
print
(
"<html><head><title>Bug Reports</title></head><body bgcolor=\"#FFFFFF\">"
);
}
GetVersionTable
();
GetVersionTable
();
# If the usebuggroups parameter is set, we don't want to list all products.
# If the usebuggroups parameter is set, we don't want to list all products.
...
@@ -103,54 +91,60 @@ if(Param("usebuggroups")) {
...
@@ -103,54 +91,60 @@ if(Param("usebuggroups")) {
push
(
@myproducts
,
"-All-"
,
@legal_product
);
push
(
@myproducts
,
"-All-"
,
@legal_product
);
}
}
$FORM
{
'output'
}
||=
"most_doomed"
;
# a reasonable default
if
(
!
defined
$FORM
{
'product'
})
{
if
(
!
defined
$FORM
{
'product'
})
{
print
"Content-type: text/html\n\n"
;
PutHeader
(
"Bug Reports"
);
&
choose_product
;
&
choose_product
;
}
else
{
# If usebuggroups is on, we don't want people to be able to view
# reports for products they don't have permissions for...
if
(
Param
(
"usebuggroups"
)
&&
GroupExists
(
$FORM
{
'product'
})
&&
!
UserInGroup
(
$FORM
{
'product'
}))
{
print
"<H1>Permission denied.</H1>\n"
;
print
"Sorry; you do not have the permissions necessary to view\n"
;
print
"reports for this product.\n"
;
print
"<P>\n"
;
PutFooter
();
PutFooter
();
exit
;
}
# we want to be careful about what subroutines
}
else
{
# can be called from outside. modify %reports
# accordingly when a new report type is added
# For security and correctness, validate the value of the "product" form variable.
# Valid values are those products for which the user has permissions which appear
# in the "product" drop-down menu on the report generation form.
grep
(
$_
eq
$FORM
{
'product'
},
@myproducts
)
||
DisplayError
(
"You entered an invalid product name."
)
&&
exit
;
if
(
!
exists
$reports
{
$FORM
{
'output'
}})
{
# If usebuggroups is on, we don't want people to be able to view
$FORM
{
'output'
}
=
"most_doomed"
;
# a reasonable default
# reports for products they don't have permissions for...
Param
(
"usebuggroups"
)
&&
GroupExists
(
$FORM
{
'product'
})
&&
!
UserInGroup
(
$FORM
{
'product'
})
&&
DisplayError
(
"You do not have the permissions necessary to view reports for this product."
)
&&
exit
;
# For security and correctness, validate the value of the "output" form variable.
# Valid values are the keys from the %reports hash defined above which appear in
# the "output" drop-down menu on the report generation form.
$FORM
{
'output'
}
||=
"most_doomed"
;
# a reasonable default
grep
(
$_
eq
$FORM
{
'output'
},
keys
%
reports
)
||
DisplayError
(
"You entered an invalid output type."
)
&&
exit
;
# Output appropriate HTTP response headers
print
"Content-type: text/html\n"
;
# Changing attachment to inline to resolve 46897 - zach@zachlipton.com
print
"Content-disposition: inline; filename=bugzilla_report.html\n\n"
;
if
(
$FORM
{
'banner'
})
{
PutHeader
(
"Bug Reports"
);
}
else
{
print
(
"<html><head><title>Bug Reports</title></head><body bgcolor=\"#FFFFFF\">"
);
}
}
my
$f
=
$reports
{
$FORM
{
'output'
}};
# Execute the appropriate report generation function
# (the one whose name is the same as the value of the "output" form variable).
&
{
$reports
{
$FORM
{
'output'
}}};
# ??? why is this necessary? formatting looks fine without it
print
"<p>"
;
if
(
!
defined
$f
)
{
print
"start over, your form data was all messed up.<p>\n"
;
foreach
(
keys
%::
FORM
)
{
print
"<font color=blue>$_</font> : "
.
(
$FORM
{
$_
}
?
$FORM
{
$_
}
:
"undef"
)
.
"<br>\n"
;
}
PutFooter
()
if
$FORM
{
banner
};
PutFooter
()
if
$FORM
{
banner
};
exit
;
}
&
{
$f
};
}
}
print
<<FIN;
<p>
FIN
PutFooter
()
if
$FORM
{
banner
};
##################################
##################################
...
@@ -257,7 +251,6 @@ FIN
...
@@ -257,7 +251,6 @@ FIN
FIN
FIN
#Add this above to get a control for showing the SQL query:
#Add this above to get a control for showing the SQL query:
#<input type=checkbox name=showsql value=1> Show SQL<br>
#<input type=checkbox name=showsql value=1> Show SQL<br>
PutFooter
();
}
}
sub
most_doomed
{
sub
most_doomed
{
...
@@ -485,11 +478,6 @@ FIN
...
@@ -485,11 +478,6 @@ FIN
FIN
FIN
}
}
sub
is_legal_product
{
my
$product
=
shift
;
return
grep
{
$_
eq
$product
}
@myproducts
;
}
sub
daily_stats_filename
{
sub
daily_stats_filename
{
my
(
$prodname
)
=
@_
;
my
(
$prodname
)
=
@_
;
$prodname
=~
s/\//-/gs
;
$prodname
=~
s/\//-/gs
;
...
@@ -501,10 +489,6 @@ sub show_chart {
...
@@ -501,10 +489,6 @@ sub show_chart {
# here. Should probably return some decent error message.
# here. Should probably return some decent error message.
return
unless
$use_gd
;
return
unless
$use_gd
;
if
(
!
is_legal_product
(
$FORM
{
'product'
}))
{
&
die_politely
(
"Unknown product: $FORM{'product'}"
);
}
if
(
!
$FORM
{
datasets
})
{
if
(
!
$FORM
{
datasets
})
{
die_politely
(
"You didn't select any datasets to plot"
);
die_politely
(
"You didn't select any datasets to plot"
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment