[bugzilla-gnome-org-upstream/4.4] Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error r=dkl, a=dkl
- From: Andrea Veri <av src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [bugzilla-gnome-org-upstream/4.4] Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error r=dkl, a=dkl
- Date: Wed, 18 May 2016 11:56:48 +0000 (UTC)
commit fc5cdf3a7f7b40faca8c0efeb567cdd21376460a
Author: Dylan Hardison <dylan mozilla com>
Date: Tue Dec 22 11:53:56 2015 -0500
Bug 1230932 - Providing a condition as an ID to the webservice results in a taint error
r=dkl,a=dkl
Bugzilla/WebService/Constants.pm | 1 +
Bugzilla/WebService/Util.pm | 12 +++++++++++-
template/en/default/global/code-error.html.tmpl | 3 +++
3 files changed, 15 insertions(+), 1 deletions(-)
---
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index f289cae..722abd1 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -51,6 +51,7 @@ use constant WS_ERROR_CODE => {
number_too_large => 54,
number_too_small => 55,
illegal_date => 56,
+ param_integer_array_required => 58,
# Bug errors usually occupy the 100-200 range.
improper_bug_id_field_value => 100,
bug_id_does_not_exist => 101,
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index c7d63b3..7b2c241 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -9,6 +9,9 @@ package Bugzilla::WebService::Util;
use strict;
use base qw(Exporter);
+use List::MoreUtils qw(all any);
+use Bugzilla::Error;
+
# We have to "require", not "use" this, because otherwise it tries to
# use features of Test::More during import().
require Test::Taint;
@@ -103,7 +106,8 @@ sub validate {
# sent any parameters at all, and we're getting @keys where
# $params should be.
return ($self, undef) if (defined $params and !ref $params);
-
+
+ my @id_params = qw( ids comment_ids );
# If @keys is not empty then we convert any named
# parameters that have scalar values to arrayrefs
# that match.
@@ -112,6 +116,12 @@ sub validate {
$params->{$key} = ref $params->{$key}
? $params->{$key}
: [ $params->{$key} ];
+
+ if (any { $key eq $_ } @id_params) {
+ my $ids = $params->{$key};
+ ThrowCodeError('param_integer_array_required', { param => $key })
+ unless ref($ids) eq 'ARRAY' && all { /^[0-9]+$/ } @$ids;
+ }
}
}
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index e441632..cd0e3c2 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -290,6 +290,9 @@
a <code>[% param FILTER html %]</code> argument, and that
argument was not set.
+ [% ELSIF error == "param_integer_array_required" %]
+ The <code>[% param FILTER html %]</code> parameter must be an array of integers.
+
[% ELSIF error == "params_required" %]
[% title = "Missing Parameter" %]
The function <code>[% function FILTER html %]</code> requires
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]