From 0ddb000b0c5280b9a13d9b930ea21ecf546bd5c9 Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Sat, 24 Oct 2009 05:26:35 +0000 Subject: Bug 523977: Make Bugzilla::Object->check send the trimmed value to new(), and also be more accurate about what's "empty". This also makes detaint_natural and detaint_signed call int() on their return values. Patch by Max Kanat-Alexander r=LpSolit, a=LpSolit --- Bugzilla/Object.pm | 13 ++++++++++--- Bugzilla/Util.pm | 9 +++------ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index 456888b38..b04593f89 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -117,10 +117,17 @@ sub check { if (!ref $param) { $param = { name => $param }; } + # Don't allow empty names or ids. - my $check_param = exists $param->{id} ? $param->{id} : $param->{name}; - $check_param = trim($check_param); - $check_param || ThrowUserError('object_not_specified', { class => $class }); + my $check_param = exists $param->{id} ? 'id' : 'name'; + $param->{$check_param} = trim($param->{$check_param}); + # If somebody passes us "0", we want to throw an error like + # "there is no X with the name 0". This is true even for ids. So here, + # we only check if the parameter is undefined or empty. + if (!defined $param->{$check_param} or $param->{$check_param} eq '') { + ThrowUserError('object_not_specified', { class => $class }); + } + my $obj = $class->new($param); if (!$obj) { # We don't want to override the normal template "user" object if diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 513e02857..21588417c 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -68,17 +68,14 @@ sub trick_taint { sub detaint_natural { my $match = $_[0] =~ /^(\d+)$/; - $_[0] = $match ? $1 : undef; + $_[0] = $match ? int($1) : undef; return (defined($_[0])); } sub detaint_signed { my $match = $_[0] =~ /^([-+]?\d+)$/; - $_[0] = $match ? $1 : undef; - # Remove any leading plus sign. - if (defined($_[0]) && $_[0] =~ /^\+(\d+)$/) { - $_[0] = $1; - } + # The "int()" call removes any leading plus sign. + $_[0] = $match ? int($1) : undef; return (defined($_[0])); } -- cgit v1.2.1