Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error

r=dkl,a=dkl

Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error
396ae882 · Dylan Hardison · 6a241384 · 396ae882 · 396ae882 · 396ae882
Commit 396ae882 authored Dec 22, 2015 by Dylan Hardison
Showing with 21 additions and 1 deletion

Bug.pm Bugzilla/WebService/Bug.pm +4 -0

Constants.pm Bugzilla/WebService/Constants.pm +2 -0

Util.pm Bugzilla/WebService/Util.pm +8 -1

code-error.html.tmpl template/en/default/global/code-error.html.tmpl +7 -0

No files found.
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -1133,6 +1133,10 @@ sub update_comment_tags {
                          { function => 'Bug.update_comment_tags',
                            param    => 'comment_id' });

+    ThrowCodeError("param_integer_required", { function => 'Bug.update_comment_tags',
+                                               param => 'comment_id' })
+      unless $comment_id =~ /^[0-9]+$/;
+
    my $comment = Bugzilla::Comment->new($comment_id)
        || return [];
    $comment->bug->check_is_visible();

--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -67,6 +67,8 @@ use constant WS_ERROR_CODE => {
    number_too_large            => 54,
    number_too_small            => 55,
    illegal_date                => 56,
+    param_integer_required      => 57,
+    param_integer_array_required => 58,
    # Bug errors usually occupy the 100-200 range.
    improper_bug_id_field_value => 100,
    bug_id_does_not_exist       => 101,

--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -219,7 +219,8 @@ sub validate  {
    # sent any parameters at all, and we're getting @keys where
    # $params should be.
    return ($self, undef) if (defined $params and !ref $params);
-    
+
+    my @id_params = qw( ids comment_ids );
    # If @keys is not empty then we convert any named 
    # parameters that have scalar values to arrayrefs
    # that match.
@@ -228,6 +229,12 @@ sub validate  {
            $params->{$key} = ref $params->{$key} 
                              ? $params->{$key} 
                              : [ $params->{$key} ];
+
+            if (any { $key eq $_ } @id_params) {
+                my $ids = $params->{$key};
+                ThrowCodeError('param_integer_array_required', { param => $key })
+                  unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
+            }
        }
    }


--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -290,6 +290,13 @@
    a <code>[% param FILTER html %]</code> argument, and that
    argument was not set.

+  [% ELSIF error == "param_integer_required" %]
+    The function <code>[% function FILTER html %]</code> requires
+    that <code>[% param FILTER html %]</code> be an integer.
+
+  [% ELSIF error == "param_integer_array_required" %]
+    The <code>[% param FILTER html %]</code> parameter must be an array of integers.
+
  [% ELSIF error == "params_required" %]
    [% title = "Missing Parameter" %]
    The function <code>[% function FILTER html %]</code> requires