aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--globals.pl2
-rwxr-xr-xprocess_bug.cgi26
2 files changed, 13 insertions, 15 deletions
diff --git a/globals.pl b/globals.pl
index 37ecdafbe..d8e5672e0 100644
--- a/globals.pl
+++ b/globals.pl
@@ -213,7 +213,7 @@ sub SendSQL {
# b) We want to know who called SendSQL...
# Is there a better way to do b?
if (is_tainted($str)) {
- die "Attempted to send tainted string to the database";
+ die "Attempted to send tainted string '$str' to the database";
}
my $iswrite = ($str =~ /^(INSERT|REPLACE|UPDATE|DELETE)/i);
diff --git a/process_bug.cgi b/process_bug.cgi
index 13942ca5f..dcde93035 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -92,20 +92,6 @@ if (defined $::FORM{'dup_id'} && $::FORM{'knob'} eq "duplicate") {
DuplicateUserConfirm();
}
-# If the user has a bug list and is processing one bug, then after
-# we process the bug we are going to show them the next bug on their
-# list. Thus we have to make sure this bug ID is also valid,
-# since a malicious cracker might alter their cookies for the purpose
-# gaining access to bugs they are not authorized to access.
-if ( defined $::COOKIE{"BUGLIST"} && defined $::FORM{'id'} ) {
- my @buglist = split( /:/ , $::COOKIE{"BUGLIST"} );
- my $idx = lsearch( \@buglist , $::FORM{"id"} );
- if ($idx < $#buglist) {
- my $nextbugid = $buglist[$idx + 1];
- ValidateBugID($nextbugid);
- }
-}
-
######################################################################
# End Data/Security Validation
######################################################################
@@ -484,6 +470,18 @@ if ($action eq Param("move-button-text")) {
print "<TITLE>Update Bug " . join(" ", @idlist) . "</TITLE>\n";
if (defined $::FORM{'id'}) {
navigation_header();
+ if (defined $::next_bug) {
+ # If there is another bug, then we're going to display it,
+ # so check that its a legal bug
+ # We need to check that its a number first
+ if (!(detaint_natural($::next_bug) && CanSeeBug($::next_bug))) {
+ # This isn't OK
+ # Rather than error out (which could validly happen if there
+ # was a bug in the list whose group was changed in the meantime)
+ # just remove references to it
+ undef $::next_bug;
+ }
+ }
}
print "<HR>\n";
$::query = "update bugs\nset";