Fix for bug 108982: enable taint mode for all user-facing CGI files.

Patch by Brad Baetz <bbaetz@student.usyd.edu.au> r= jake, justdave

Fix for bug 108982: enable taint mode for all user-facing CGI files.
4e6767d4 · justdave%syndicomm.com · 72f340e3 · 4e6767d4 · 4e6767d4 · 4e6767d4
Commit 4e6767d4 authored Jan 20, 2002 by justdave%syndicomm.com
40 changed files
--- a/Attachment.pm
+++ b/Attachment.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/Bug.pm
+++ b/Bug.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -75,10 +74,12 @@ sub initBug  {
  my $self = shift();
  my ($bug_id, $user_id) = (@_);

-
-  if ( (! defined $bug_id) || (!$bug_id) ) {
-    # no bug number given
-    return {};
+  my $old_bug_id = $bug_id;
+  if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) {
+      # no bug number given
+      $self->{'bug_id'} = $old_bug_id;
+      $self->{'error'} = "InvalidBugId";
+      return $self;
  }

 # default userid 0, or get DBID if you used an email address

--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -75,10 +74,12 @@ sub initBug  {
  my $self = shift();
  my ($bug_id, $user_id) = (@_);

-
-  if ( (! defined $bug_id) || (!$bug_id) ) {
-    # no bug number given
-    return {};
+  my $old_bug_id = $bug_id;
+  if ((! defined $bug_id) || (!$bug_id) || (!&::detaint_natural($bug_id))) {
+      # no bug number given
+      $self->{'bug_id'} = $old_bug_id;
+      $self->{'error'} = "InvalidBugId";
+      return $self;
  }

 # default userid 0, or get DBID if you used an email address

--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/CGI.pl
+++ b/CGI.pl
@@ -93,6 +93,9 @@ sub url_quote {


 sub ParseUrlString {
+    # We don't want to detaint the user supplied data...
+    use re 'taint';
+
    my ($buffer, $f, $m) = (@_);
    undef %$f;
    undef %$m;
@@ -118,6 +121,7 @@ sub ParseUrlString {
            $name = $item;
            $value = "";
        }
+
        if ($value ne "") {
            if (defined $f->{$name}) {
                $f->{$name} .= $value;
@@ -141,7 +145,6 @@ sub ParseUrlString {
    }
 }

-
 sub ProcessFormFields {
    my ($buffer) = (@_);
    return ParseUrlString($buffer, \%::FORM, \%::MFORM);
@@ -259,18 +262,18 @@ sub ValidateBugID {
    # Validates and verifies a bug ID, making sure the number is a 
    # positive integer, that it represents an existing bug in the
    # database, and that the user is authorized to access that bug.
+    # We detaint the number here, too

-    my ($id) = @_;
-
-    # Make sure the bug number is a positive integer.
-    # Whitespace can be ignored because the SQL server will ignore it.
-    $id =~ /^\s*([1-9][0-9]*)\s*$/
+    $_[0] = trim($_[0]); # Allow whitespace arround the number
+    detaint_natural($_[0])
      || DisplayError("The bug number is invalid. If you are trying to use " .
                      "QuickSearch, you need to enable JavaScript in your " .
                      "browser. To help us fix this limitation, look " .
                      "<a href=\"http://bugzilla.mozilla.org/show_bug.cgi?id=70907\">here</a>.") 
      && exit;

+    my ($id) = @_;
+
    # Get the values of the usergroupset and userid global variables
    # and write them to local variables for use within this function,
    # setting those local variables to the default value of zero if
@@ -685,6 +688,8 @@ sub quietly_check_login() {
                    $::COOKIE{"Bugzilla_login"} = $loginname; # Makes sure case
                                                              # is in
                                                              # canonical form.
+                    # We've just verified that this is ok
+                    detaint_natural($::COOKIE{"Bugzilla_logincookie"});
                } else {
                    $::disabledreason = $disabledtext;
                }
@@ -1430,6 +1435,8 @@ if (defined $ENV{"REQUEST_METHOD"}) {


 if (defined $ENV{"HTTP_COOKIE"}) {
+    # Don't trust anything which came in as a cookie
+    use re 'taint';
    foreach my $pair (split(/;/, $ENV{"HTTP_COOKIE"})) {
        $pair = trim($pair);
        if ($pair =~ /^([^=]*)=(.*)$/) {

--- a/Token.pm
+++ b/Token.pm
-#!/usr/bonsaitools/bin/perl -w
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/attachment.cgi
+++ b/attachment.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -29,6 +29,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 # Include the Bugzilla CGI and general utility library.
 require "CGI.pl";

@@ -139,10 +141,10 @@ exit;

 sub validateID
 {
-  # Validate the value of the "id" form field, which must contain a positive
+  # Validate the value of the "id" form field, which must contain an
  # integer that is the ID of an existing attachment.

-  $::FORM{'id'} =~ /^[1-9][0-9]*$/
+  detaint_natural($::FORM{'id'})
    || DisplayError("You did not enter a valid attachment number.") 
      && exit;
  

--- a/buglist.cgi
+++ b/buglist.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -26,6 +26,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";
 use Date::Parse;

@@ -783,6 +785,11 @@ sub GenerateSQL {
                    die "Internal error: $errstr" if $chart < 0;
                    return Error($errstr);
                }
+
+                # This is either from the internal chart (in which case we
+                # already know about it), or it was in %chartfields, so it is
+                # a valid field name, which means that its ok.
+                trick_taint($f);
                $q = SqlQuote($v);
                my $func;
                $term = undef;
@@ -1067,7 +1074,15 @@ my @fields = ("bugs.bug_id", "bugs.groupset");

 foreach my $c (@collist) {
    if (exists $::needquote{$c}) {
-        push(@fields, "$::key{$c}");
+        # The value we are actually using is $::key{$c}, which was created
+        # using the DefCol() function earlier.  We test for the existance
+        # of $::needsquote{$c} to find out if $c is a legitimate key in the
+        # hashes that were defined by DefCol().  If $::needsquote{$c} exists,
+        # then $c is valid and we can use it to look up our key.
+        # If it doesn't exist, then we know the user is screwing with us   
+        # and we'll just skip it.
+        trick_taint($c);
+        push(@fields, $::key{$c});
    }
 }

@@ -1142,6 +1157,7 @@ if (defined $::FORM{'order'} && $::FORM{'order'} ne "") {
    }
    die "Invalid order: $::FORM{'order'}" unless
        $::FORM{'order'} =~ /^([a-zA-Z0-9_., ]+)$/;
+    $::FORM{'order'} = $1; # detaint this, since we've checked it

    # Extra special disgusting hack: if we are ordering by target_milestone,
    # change it to order by the sortkey of the target_milestone first.

--- a/bugzilla.dtd
+++ b/bugzilla.dtd
@@ -8,7 +8,7 @@ priority, version, rep_platform, assigned_to, delta_ts, component,
 reporter, target_milestone?, bug_severity, creation_ts, qa_contact?, 
 status_whiteboard?, op_sys, short_desc?, keywords*, dependson*, 
 blocks*, cc*, long_desc?, attachment*)>
-<!ATTLIST bug error (NotFound|NotPermitted) #IMPLIED>
+<!ATTLIST bug error (NotFound|NotPermitted|InvalidBugId) #IMPLIED>
 <!ELEMENT bug_id (#PCDATA)>
 <!ELEMENT short_desc (#PCDATA)>
 <!ELEMENT bug_status (#PCDATA)>

--- a/changepassword.cgi
+++ b/changepassword.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/colchange.cgi
+++ b/colchange.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 sub sillyness { # shut up "used only once" warnings
  my $zz = @::legal_keywords;
 }

--- a/createaccount.cgi
+++ b/createaccount.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -26,6 +26,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 # Shut up misguided -w warnings about "used only once":

--- a/createattachment.cgi
+++ b/createattachment.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 use vars %::COOKIE, %::FILENAME;

--- a/describecomponents.cgi
+++ b/describecomponents.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@ use vars %::FORM;
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();

--- a/describekeywords.cgi
+++ b/describekeywords.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();

--- a/doeditparams.cgi
+++ b/doeditparams.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";
 require "defparams.pl";


--- a/doeditvotes.cgi
+++ b/doeditvotes.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();
@@ -67,9 +69,6 @@ if (0 == @buglist) {
 # minus sign).
 foreach my $id (@buglist) {
  ValidateBugID($id);
-  ($::FORM{$id} =~ /^\d+$/)
-    || DisplayError("Only use non-negative numbers for your bug votes.")
-    && exit;
 }

 ######################################################################
@@ -144,7 +143,7 @@ while (MoreSQLData()) {
 }
 SendSQL("delete from votes where who = $who");
 foreach my $id (@buglist) {
-    if ($::FORM{$id} > 0) {
+    if (detaint_natural($::FORM{$id}) && $::FORM{$id} > 0) {
        SendSQL("insert into votes (who, bug_id, count) values ($who, $id, $::FORM{$id})");
    }
    $affected{$id} = 1;

--- a/duplicates.cgi
+++ b/duplicates.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -27,6 +27,9 @@ use diagnostics;
 use strict;
 use CGI "param";
 use AnyDBM_File;
+
+use lib qw(.);
+
 require "globals.pl";
 require "CGI.pl";


--- a/enter_bug.cgi
+++ b/enter_bug.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -35,6 +35,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 # Shut up misguided -w warnings about "used only once".  "use vars" just

--- a/globals.pl
+++ b/globals.pl
@@ -194,8 +194,27 @@ sub SqlLog {
    }
 }

+# This is from the perlsec page, slightly modifed to remove a warning
+# From that page:
+#      This function makes use of the fact that the presence of
+#      tainted data anywhere within an expression renders the
+#      entire expression tainted.
+# Don't ask me how it works...
+sub is_tainted {
+    return not eval { my $foo = join('',@_), kill 0; 1; };
+}
+
 sub SendSQL {
    my ($str, $dontshadow) = (@_);
+
+    # Don't use DBI's taint stuff yet, because:
+    # a) We don't want out vars to be tainted (yet)
+    # b) We want to know who called SendSQL...
+    # Is there a better way to do b?
+    if (is_tainted($str)) {
+        die "Attempted to send tainted string to the database";
+    }
+
    my $iswrite =  ($str =~ /^(INSERT|REPLACE|UPDATE|DELETE)/i);
    if ($iswrite && !$::dbwritesallowed) {
        die "Evil code attempted to write stuff to the shadow database.";

--- a/long_list.cgi
+++ b/long_list.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 # Shut up misguided -w warnings about "used only once".  "use vars" just

--- a/move.pl
+++ b/move.pl
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,9 @@

 use diagnostics;
 use strict;
+
+use lib qw(.);
+
 use Bug;
 require "CGI.pl";
 $::lockcount = 0;

--- a/new_comment.cgi
+++ b/new_comment.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public

--- a/post_bug.cgi
+++ b/post_bug.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 # Shut up misguided -w warnings about "used only once".  For some reason,

--- a/process_bug.cgi
+++ b/process_bug.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -29,6 +29,8 @@ use strict;
 my $UserInEditGroupSet = -1;
 my $UserInCanConfirmGroupSet = -1;

+use lib qw(.);
+
 require "CGI.pl";
 use RelationSet;

@@ -42,6 +44,7 @@ use vars %::versions,
    %::legal_opsys,
    %::legal_platform,
    %::legal_priority,
+    %::settable_resolution,
    %::target_milestone,
    %::legal_severity,
    %::superusergroupset;
@@ -58,13 +61,18 @@ my $requiremilestone = 0;
 # This list will either consist of a single bug number from the "id"
 # form/URL field or a series of numbers from multiple form/URL fields
 # named "id_x" where "x" is the bug number.
+# For each bug being modified, make sure its ID is a valid bug number 
+# representing an existing bug that the user is authorized to access.
 my @idlist;
 if (defined $::FORM{'id'}) {
+    ValidateBugID($::FORM{'id'});
    push @idlist, $::FORM{'id'};
 } else {
    foreach my $i (keys %::FORM) {
        if ($i =~ /^id_([1-9][0-9]*)/) {
-            push @idlist, $1;
+            my $id = $1;
+            ValidateBugID($id);
+            push @idlist, $id;
        }
    }
 }
@@ -74,12 +82,6 @@ scalar(@idlist)
  || DisplayError("You did not select any bugs to modify.")
  && exit;

-# For each bug being modified, make sure its ID is a valid bug number 
-# representing an existing bug that the user is authorized to access.
-foreach my $id (@idlist) {
-    ValidateBugID($id);
-}
-
 # If we are duping bugs, let's also make sure that we can change 
 # the original.  This takes care of issue A on bug 96085.
 if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") {
@@ -538,7 +540,7 @@ sub ChangeResolution {
    my ($str) = (@_);
    if ($str ne $::dontchange) {
        DoComma();
-        $::query .= "resolution = '$str'";
+        $::query .= "resolution = " . SqlQuote($str);
    }
 }

@@ -695,6 +697,8 @@ SWITCH: for ($::FORM{'knob'}) {
        last SWITCH;
    };
    /^resolve$/ && CheckonComment( "resolve" ) && do {
+        # Check here, because its the only place we require the resolution
+        CheckFormField(\%::FORM, 'resolution', \@::settable_resolution);
        ChangeStatus('RESOLVED');
        ChangeResolution($::FORM{'resolution'});
        last SWITCH;
@@ -1030,8 +1034,15 @@ The changes made were:
            foreach my $i (split('[\s,]+', $::FORM{$target})) {
                if ($i eq "") {
                    next;
+                }

+                my $orig = $i;
+                if (!detaint_natural($i)) {
+                    PuntTryAgain("$orig is not a legal bug number");
                }
+
+                # Don't use CanSeeBug, since we want to keep deps to bugs a
+                # user can't see
                SendSQL("select bug_id from bugs where bug_id = " .
                        SqlQuote($i));
                my $comp = FetchOneColumn();
@@ -1049,7 +1060,8 @@ The changes made were:
            my @stack = @{$deps{$target}};
            while (@stack) {
                my $i = shift @stack;
-                SendSQL("select $target from dependencies where $me = $i");
+                SendSQL("select $target from dependencies where $me = " .
+                        SqlQuote($i));
                while (MoreSQLData()) {
                    my $t = FetchOneColumn();
                    if ($t == $id) {

--- a/queryhelp.cgi
+++ b/queryhelp.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -27,6 +27,8 @@ use vars %::FORM;
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();

--- a/quips.cgi
+++ b/quips.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@ use diagnostics;
 use strict;
 use vars ( %::FORM );

+use lib qw(.);
+
 require "CGI.pl";

 print "Content-type: text/html\n\n";

--- a/relogin.cgi
+++ b/relogin.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@ use strict;

 use vars %::COOKIE;

+use lib qw(.);
+
 require "CGI.pl";

 my $cookiepath = Param("cookiepath");

--- a/reports.cgi
+++ b/reports.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -41,6 +41,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 eval "use GD";
 my $use_gd = $@ ? 0 : 1;
 eval "use Chart::Lines";

--- a/sanitycheck.cgi
+++ b/sanitycheck.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 use vars %::FORM;

--- a/show_activity.cgi
+++ b/show_activity.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();

--- a/show_bug.cgi
+++ b/show_bug.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();

--- a/showattachment.cgi
+++ b/showattachment.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 if (!defined $::FORM{'attach_id'}) {
@@ -43,7 +45,7 @@ ConnectToDatabase();

 quietly_check_login();

-if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
+if (!detaint_natural($::FORM{attach_id})) {
    DisplayError("Attachment ID should be numeric.");
    exit;
 }

--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,6 +23,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();
@@ -168,6 +170,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey]
    # Cleanup any old .dot files created from previous runs.
    my $since = time() - 24 * 60 * 60;
    foreach my $f (glob("data/webdot/*.dot")) {
+        # Here we are deleting all old files. All entries are from the
+        # data/webdot/ directory. Since we're deleting the file (not following
+        # symlinks), this can't escape to delete anything it shouldn't
+        trick_taint($f);
        if (ModTime($f) < $since) {
            unlink $f;
        }

--- a/showvotes.cgi
+++ b/showvotes.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -25,6 +25,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 ConnectToDatabase();
@@ -61,7 +63,7 @@ if (defined $::FORM{'voteon'}) {

 # Make sure the user ID is a positive integer representing an existing user.
 if (defined $::FORM{'user'}) {
-  $::FORM{'user'} =~ /^([1-9][0-9]*)$/
+  detaint_natural($::FORM{'user'})
    || DisplayError("The user number is invalid.") 
    && exit;
  SendSQL("SELECT 1 FROM profiles WHERE userid = $::FORM{'user'}");

--- a/t/002goodperl.t
+++ b/t/002goodperl.t
@@ -55,13 +55,40 @@ foreach my $file (@testitems) {
    }
    my $file_line1 = <FILE>;
    close (FILE);
+
+    $file =~ m/.*\.(.*)/;
+    my $ext = $1;
+
    if ($file_line1 !~ /\/usr\/bonsaitools\/bin\/perl/) {
        ok(1,"$file does not have a shebang");	
    } else {
-        if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -w#) {
-            ok(1,"$file uses -w");
+        my $flags;
+        if ($file eq "processmail") {
+            # special case processmail, which is tainted checked
+            $flags = "wT";
+        } elsif (!defined $ext || $ext eq "pl") {
+            # standalone programs (eg syncshadowdb) aren't taint checked yet
+            $flags = "w";
+        } elsif ($ext eq "pm") {
+            ok(0, "$file is a module, but has a shebang");
+            next;
+        } elsif ($ext eq "cgi") {
+            # cgi files must be taint checked, but only the user-accessible
+            # ones have been checked so far
+            if ($file =~ m/^edit/) {
+                $flags = "w";
+            } else {
+                $flags = "wT";
+            }
+        } else {
+            ok(0, "$file has shebang but unknown extension");
+            next;
+        }
+
+        if ($file_line1 =~ m#/usr/bonsaitools/bin/perl -$flags#) {
+            ok(1,"$file uses -$flags");
        } else {
-            ok(0,"$file is MISSING -w --WARNING");
+            ok(0,"$file is MISSING -$flags --WARNING");
        }
    }
 }

--- a/token.cgi
+++ b/token.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -28,6 +28,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 # Include the Bugzilla CGI and general utility library.
 require "CGI.pl";


--- a/userprefs.cgi
+++ b/userprefs.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -22,6 +22,8 @@
 use diagnostics;
 use strict;

+use lib qw(.);
+
 require "CGI.pl";

 use RelationSet;

--- a/xml.cgi
+++ b/xml.cgi
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
 # -*- Mode: perl; indent-tabs-mode: nil -*-
 #
 # The contents of this file are subject to the Mozilla Public
@@ -23,10 +23,13 @@

 use diagnostics;
 use strict;
+
+use lib qw(.);
+
 use Bug;
 require "CGI.pl";

-if (!defined $::FORM{'id'} || $::FORM{'id'} !~ /^\s*\d+(,\d+)*\s*$/) {
+if (!defined $::FORM{'id'} || !$::FORM{'id'}) {
  print "Content-type: text/html\n\n";
  PutHeader("Display as XML");
  print "<FORM METHOD=GET ACTION=\"xml.cgi\">\n";