aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2016-03-19 17:33:48 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2016-03-19 17:33:48 +0100
commit6e0182e55396213869186764abb1620dcbf307f0 (patch)
tree9f5157d8ace42ea7d8650e8879e05fab3e40eee7
parentBug 1253267: Possible DOT injection vulnerability in dependency graphs if lon... (diff)
downloadgentoo-bugzilla-6e0182e55396213869186764abb1620dcbf307f0.zip
gentoo-bugzilla-6e0182e55396213869186764abb1620dcbf307f0.tar.gz
gentoo-bugzilla-6e0182e55396213869186764abb1620dcbf307f0.tar.bz2
Bug 1230932: Providing a condition as an ID to the webservice results in a taint error
r/a=dkl
-rw-r--r--Bugzilla/WebService/Bug.pm4
-rw-r--r--Bugzilla/WebService/Constants.pm2
-rw-r--r--Bugzilla/WebService/Util.pm12
-rw-r--r--template/en/default/global/code-error.html.tmpl8
4 files changed, 23 insertions, 3 deletions
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index c996512..b07d3cb 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -1133,6 +1133,10 @@ sub update_comment_tags {
{ function => 'Bug.update_comment_tags',
param => 'comment_id' });
+ ThrowCodeError('param_integer_required', { function => 'Bug.update_comment_tags',
+ param => 'comment_id' })
+ unless $comment_id =~ /^[0-9]+$/;
+
my $comment = Bugzilla::Comment->new($comment_id)
|| return [];
$comment->bug->check_is_visible();
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 0bdd351..557a996 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -67,6 +67,8 @@ use constant WS_ERROR_CODE => {
number_too_large => 54,
number_too_small => 55,
illegal_date => 56,
+ param_integer_required => 57,
+ param_scalar_array_required => 58,
# Bug errors usually occupy the 100-200 range.
improper_bug_id_field_value => 100,
bug_id_does_not_exist => 101,
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index 26a6ebb..a879c0e 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -16,6 +16,7 @@ use Bugzilla::FlagType;
use Bugzilla::Error;
use Storable qw(dclone);
+use List::MoreUtils qw(any none);
use parent qw(Exporter);
@@ -220,14 +221,19 @@ sub validate {
# $params should be.
return ($self, undef) if (defined $params and !ref $params);
+ my @id_params = qw(ids comment_ids);
# If @keys is not empty then we convert any named
# parameters that have scalar values to arrayrefs
# that match.
foreach my $key (@keys) {
if (exists $params->{$key}) {
- $params->{$key} = ref $params->{$key}
- ? $params->{$key}
- : [ $params->{$key} ];
+ $params->{$key} = [ $params->{$key} ] unless ref $params->{$key};
+
+ if (any { $key eq $_ } @id_params) {
+ my $ids = $params->{$key};
+ ThrowCodeError('param_scalar_array_required', { param => $key })
+ unless ref($ids) eq 'ARRAY' && none { ref $_ } @$ids;
+ }
}
}
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 63f3ae9..830a7e7 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -290,6 +290,14 @@
a <code>[% param FILTER html %]</code> argument, and that
argument was not set.
+ [% ELSIF error == "param_integer_required" %]
+ The function <code>[% function FILTER html %]</code> requires
+ that <code>[% param FILTER html %]</code> be an integer.
+
+ [% ELSIF error == "param_scalar_array_required" %]
+ The <code>[% param FILTER html %]</code> parameter must be an array of scalars
+ (integers and/or strings).
+
[% ELSIF error == "params_required" %]
[% title = "Missing Parameter" %]
The function <code>[% function FILTER html %]</code> requires