[SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword.

Patch by Joel Peshkin <bugreport@peshkin.net> r= justdave, zach a= justdave
2003-11-03 03:31:30 +00:00 · 2003-11-03 03:31:30 +00:00 · d9b7ed995f
--- a/webtools/bugzilla/editkeywords.cgi
+++ b/webtools/bugzilla/editkeywords.cgi
@ -126,6 +126,7 @@ unless (UserInGroup("editkeywords")) {


 my $action  = trim($::FORM{action}  || '');
+detaint_natural($::FORM{id});


 if ($action eq "") {