SECURITY FIX see bug 108516: Due to trusting of passed form fields that…

SECURITY FIX see bug 108516: Due to trusting of passed form fields that shouldn't have been trusted, it was possible to file a bug pretending to be someone else if you edited the HTML by hand before submitting. Patch by Dave Miller <justdave@syndicomm.com> r= bbaetz, jake

SECURITY FIX see bug 108516: Due to trusting of passed form fields that…
1d9fe70b · justdave%syndicomm.com · 2899c1de · 1d9fe70b
Commit 1d9fe70b authored Nov 06, 2001 by justdave%syndicomm.com
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 17 deletions

post_bug.cgi post_bug.cgi +13 -17

No files found.
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -103,10 +103,7 @@ if ($::FORM{'assigned_to'} eq "") {
    $::FORM{'assigned_to'} = DBNameToIdAndCheck($::FORM{'assigned_to'});
 }

-$::FORM{'reporter'} = DBNameToIdAndCheck($::FORM{'reporter'});
-
-
-my @bug_fields = ("reporter", "product", "version", "rep_platform",
+my @bug_fields = ("product", "version", "rep_platform",
                  "bug_severity", "priority", "op_sys", "assigned_to",
                  "bug_status", "bug_file_loc", "short_desc", "component",
                  "target_milestone");
@@ -145,7 +142,6 @@ if (!exists $::FORM{'target_milestone'}) {

 if ( Param("strictvaluechecks") ) {
    GetVersionTable();  
-    CheckFormField(\%::FORM, 'reporter');
    CheckFormField(\%::FORM, 'product', \@::legal_product);
    CheckFormField(\%::FORM, 'version', \@{$::versions{$::FORM{'product'}}});
    CheckFormField(\%::FORM, 'target_milestone',
@@ -174,7 +170,7 @@ if (exists $::FORM{'bug_status'} && $::FORM{'bug_status'} ne $::unconfirmedstate
 }

 my $query = "INSERT INTO bugs (\n" . join(",\n", @used_fields) . ",
-creation_ts, groupset)
+reporter, creation_ts, groupset)
 VALUES (
 ";

@@ -182,17 +178,17 @@ foreach my $field (@used_fields) {
 # fix for 42609. if there is a http:// only in bug_file_loc, strip
 # it out and send an empty value. 
    if ($field eq 'bug_file_loc') {
-       if ($::FORM{$field} eq 'http://') {
-           $::FORM{$field} = "";
-           $query .= SqlQuote($::FORM{$field}) . ",\n";
-           next;
-       } 
-       else {
-          $query .= SqlQuote($::FORM{$field}) . ",\n";
-       }
+        if ($::FORM{$field} eq 'http://') {
+            $::FORM{$field} = "";
+            $query .= SqlQuote($::FORM{$field}) . ",\n";
+            next;
+        }
+        else {
+            $query .= SqlQuote($::FORM{$field}) . ",\n";
+        }
    }
    else {
-       $query .= SqlQuote($::FORM{$field}) . ",\n";
+        $query .= SqlQuote($::FORM{$field}) . ",\n";
    }
 }

@@ -204,7 +200,7 @@ $comment = trim($comment);
 # OK except for the fact that it causes e-mail to be suppressed.
 $comment = $comment ? $comment : " ";

-$query .= "now(), (0";
+$query .= "$::userid, now(), (0";

 foreach my $b (grep(/^bit-\d*$/, keys %::FORM)) {
    if ($::FORM{$b}) {
@@ -251,7 +247,7 @@ SendSQL("select LAST_INSERT_ID()");
 my $id = FetchOneColumn();

 SendSQL("INSERT INTO longdescs (bug_id, who, bug_when, thetext) VALUES " .
-        "($id, $::FORM{'reporter'}, now(), " . SqlQuote($comment) . ")");
+        "($id, $::userid, now(), " . SqlQuote($comment) . ")");

 foreach my $person (keys %ccids) {
    SendSQL("insert into cc (bug_id, who) values ($id, $person)");