Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing…

Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing a bug if a comment contains 'bug <num>' or 'attachment <num>' where <num> is greater than the max allowed integer r=mkanat a=LpSolit

Bug 583690: (CVE-2010-2759) [SECURITY][PostgreSQL] Bugzilla crashes when viewing…
861fef87 · Frédéric Buclin · 2ea4b3d3 · 861fef87 · 861fef87 · 861fef87
Commit 861fef87 authored Aug 05, 2010 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 12 deletions

Constants.pm Bugzilla/Constants.pm +2 -0

Object.pm Bugzilla/Object.pm +5 -0

Template.pm Bugzilla/Template.pm +6 -12

No files found.
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -170,6 +170,7 @@ use Memoize;

    MIN_SMALLINT
    MAX_SMALLINT
+    MAX_INT_32

    MAX_LEN_QUERY_NAME
    MAX_CLASSIFICATION_SIZE
@@ -513,6 +514,7 @@ use constant ROOT_USER => ON_WINDOWS ? 'Administrator' : 'root';

 use constant MIN_SMALLINT => -32768;
 use constant MAX_SMALLINT => 32767;
+use constant MAX_INT_32 => 2147483647;

 # The longest that a saved search name can be.
 use constant MAX_LEN_QUERY_NAME => 64;

--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -87,6 +87,9 @@ sub _init {
          || ThrowCodeError('param_must_be_numeric',
                            {function => $class . '::_init'});

+        # Too large integers make PostgreSQL crash.
+        return if $id > MAX_INT_32;
+
        $object = $dbh->selectrow_hashref(qq{
            SELECT $columns FROM $table
             WHERE $id_field = ?}, undef, $id);
@@ -165,6 +168,8 @@ sub new_from_list {
        detaint_natural($id) ||
            ThrowCodeError('param_must_be_numeric',
                          {function => $class . '::new_from_list'});
+        # Too large integers make PostgreSQL crash.
+        next if $id > MAX_INT_32;
        push(@detainted_ids, $id);
    }
    # We don't do $invocant->match because some classes have

--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -268,21 +268,15 @@ sub get_attachment_link {
    my ($attachid, $link_text) = @_;
    my $dbh = Bugzilla->dbh;

-    detaint_natural($attachid)
-      || die "get_attachment_link() called with non-integer attachment number";
+    my $attachment = new Bugzilla::Attachment($attachid);

-    my ($bugid, $isobsolete, $desc, $is_patch) =
-        $dbh->selectrow_array('SELECT bug_id, isobsolete, description, ispatch
-                               FROM attachments WHERE attach_id = ?',
-                               undef, $attachid);
-
-    if ($bugid) {
+    if ($attachment) {
        my $title = "";
        my $className = "";
-        if (Bugzilla->user->can_see_bug($bugid)) {
-            $title = $desc;
+        if (Bugzilla->user->can_see_bug($attachment->bug_id)) {
+            $title = $attachment->description;
        }
-        if ($isobsolete) {
+        if ($attachment->isobsolete) {
            $className = "bz_obsolete";
        }
        # Prevent code injection in the title.
@@ -294,7 +288,7 @@ sub get_attachment_link {
        # If the attachment is a patch, try to link to the diff rather
        # than the text, by default.
        my $patchlink = "";
-        if ($is_patch and Bugzilla->feature('patch_viewer')) {
+        if ($attachment->ispatch and Bugzilla->feature('patch_viewer')) {
            $patchlink = '&amp;action=diff';
        }