зеркало из https://github.com/mozilla/pjs.git
SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a
bug pretending to be someone else if you edited the HTML by hand before submitting. Patch by Dave Miller <justdave@syndicomm.com> r= bbaetz, jake
This commit is contained in:
justdave%syndicomm.com
Родитель
91745f8739
Коммит
65cddcfd90
|
|
@ -103,10 +103,7 @@ if ($::FORM{'assigned_to'} eq "") {
|
|||
$::FORM{'assigned_to'} = DBNameToIdAndCheck($::FORM{'assigned_to'});
|
||||
}
|
||||
|
||||
$::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'});
|
||||
|
||||
|
||||
my @bug_fields = ("reporter", "product", "version", "rep_platform",
|
||||
my @bug_fields = ("product", "version", "rep_platform",
|
||||
"bug_severity", "priority", "op_sys", "assigned_to",
|
||||
"bug_status", "bug_file_loc", "short_desc", "component",
|
||||
"target_milestone");
|
||||
|
|
@ -145,7 +142,6 @@ if (!exists $::FORM{'target_milestone'}) {
|
|||
|
||||
if ( Param("strictvaluechecks") ) {
|
||||
GetVersionTable();
|
||||
CheckFormField(\%::FORM, 'reporter');
|
||||
CheckFormField(\%::FORM, 'product', \@::legal_product);
|
||||
CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}});
|
||||
CheckFormField(\%::FORM, 'target_milestone',
|
||||
|
|
@ -174,7 +170,7 @@ if (exists $::FORM{'bug_status'} && $::FORM{'bug_status'} ne $::unconfirmedstate
|
|||
}
|
||||
|
||||
my $query = "INSERT INTO bugs (\n" . join(",\n", @used_fields) . ",
|
||||
creation_ts, groupset)
|
||||
reporter, creation_ts, groupset)
|
||||
VALUES (
|
||||
";
|
||||
|
||||
|
|
@ -182,17 +178,17 @@ foreach my $field (@used_fields) {
|
|||
# fix for 42609. if there is a http:// only in bug_file_loc, strip
|
||||
# it out and send an empty value.
|
||||
if ($field eq 'bug_file_loc') {
|
||||
if ($::FORM{$field} eq 'http://') {
|
||||
$::FORM{$field} = "";
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
next;
|
||||
}
|
||||
else {
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
}
|
||||
if ($::FORM{$field} eq 'http://') {
|
||||
$::FORM{$field} = "";
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
next;
|
||||
}
|
||||
else {
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
}
|
||||
}
|
||||
else {
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
$query .= SqlQuote($::FORM{$field}) . ",\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -204,7 +200,7 @@ $comment = trim($comment);
|
|||
# OK except for the fact that it causes e-mail to be suppressed.
|
||||
$comment = $comment ? $comment : " ";
|
||||
|
||||
$query .= "now(), (0";
|
||||
$query .= "$::userid, now(), (0";
|
||||
|
||||
foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) {
|
||||
if ($::FORM{$b}) {
|
||||
|
|
@ -251,7 +247,7 @@ SendSQL("select LAST_INSERT_ID()");
|
|||
my $id = FetchOneColumn();
|
||||
|
||||
SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext) VALUES " .
|
||||
"($id, $::FORM{'reporter'}, now(), " . SqlQuote($comment) . ")");
|
||||
"($id, $::userid, now(), " . SqlQuote($comment) . ")");
|
||||
|
||||
foreach my $person (keys %ccids) {
|
||||
SendSQL("insert into cc (bug_id, who) values ($id, $person)");
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче