diff options
| author | justdave%syndicomm.com <> | 2003-11-03 11:31:30 +0000 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2003-11-03 11:31:30 +0000 |
| commit | a4e75a434f1fbbae4b438927ae02958baad7f1b7 (patch) | |
| tree | 74a5ab12bbf20c934af898475a3f6c7303b68013 /editkeywords.cgi | |
| parent | a30e5f2cf9b04a8a377186ecb3b90b4311d23894 (diff) | |
| download | bugs-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar bugs-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.gz bugs-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.bz2 bugs-a4e75a434f1fbbae4b438927ae02958baad7f1b7.tar.xz bugs-a4e75a434f1fbbae4b438927ae02958baad7f1b7.zip | |
[SECURITY] Bug 219044: A user with 'editkeywords' privileges (i.e. usually an administrator) can inject arbitrary SQL via the URL used to edit an existing keyword.
Patch by Joel Peshkin <bugreport@peshkin.net>
r= justdave, zach a= justdave
Diffstat (limited to 'editkeywords.cgi')
| -rwxr-xr-x | editkeywords.cgi | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/editkeywords.cgi b/editkeywords.cgi index 073dfbb9d..7af0c1a6c 100755 --- a/editkeywords.cgi +++ b/editkeywords.cgi @@ -126,6 +126,7 @@ unless (UserInGroup("editkeywords")) { my $action = trim($::FORM{action} || ''); +detaint_natural($::FORM{id}); if ($action eq "") { |