Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-11 12:25:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix for bug 108812: Prevent users from running queries containing arbitrary SQL.

Browse Source 
Patch by Jake <jake@acutex.net>
r=bbaetz,myk
This commit is contained in:
myk%mozilla.org 2001-11-08 00:49:18 +00:00
parent e27189dd1d
commit fa9b2fac19
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
webtools/bugzilla/buglist.cgi
View File

@ -187,10 +187,14 @@ sub GenerateSQL {
push(@specialchart, ["bug_id", $type, join(',', @{$M{'bug_id'}})]);
}
if (defined $F{'sql'}) {
die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
push(@wherepart, "( $F{'sql'} )");
}
# This is evil. We should never allow a user to directly append SQL to
# any query without a huge amount of validation. Even then, it would
# be a bad idea. Beware that uncommenting this will allow someone to
# peak at virtually anything they want in the bugs database.
# if (defined $F{'sql'}) {
# die "Invalid sql: $F{'sql'}" if $F{'sql'} =~ /;/;
# push(@wherepart, "( $F{'sql'} )");
# }
my @legal_fields = ("product", "version", "rep_platform", "op_sys",
"bug_status", "resolution", "priority", "bug_severity",