aboutsummaryrefslogtreecommitdiffstats
path: root/showattachment.cgi
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2002-01-20 09:44:34 +0000
committerjustdave%syndicomm.com <>2002-01-20 09:44:34 +0000
commit4e6767d4c3d1b0b583f4ec076992345545294748 (patch)
tree44d10a299f4d910400fb420b38e21e769c00be7e /showattachment.cgi
parent72f340e3a12668c9356102c71f864afa986e001a (diff)
downloadbugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar
bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.gz
bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.bz2
bugs-4e6767d4c3d1b0b583f4ec076992345545294748.tar.xz
bugs-4e6767d4c3d1b0b583f4ec076992345545294748.zip
Fix for bug 108982: enable taint mode for all user-facing CGI files.
Patch by Brad Baetz <bbaetz@student.usyd.edu.au> r= jake, justdave
Diffstat (limited to 'showattachment.cgi')
-rwxr-xr-xshowattachment.cgi6
1 files changed, 4 insertions, 2 deletions
diff --git a/showattachment.cgi b/showattachment.cgi
index 78143c550..70f5c6d66 100755
--- a/showattachment.cgi
+++ b/showattachment.cgi
@@ -1,4 +1,4 @@
-#!/usr/bonsaitools/bin/perl -w
+#!/usr/bonsaitools/bin/perl -wT
# -*- Mode: perl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public
@@ -24,6 +24,8 @@
use diagnostics;
use strict;
+use lib qw(.);
+
require "CGI.pl";
if (!defined $::FORM{'attach_id'}) {
@@ -43,7 +45,7 @@ ConnectToDatabase();
quietly_check_login();
-if ($::FORM{attach_id} !~ /^[1-9][0-9]*$/) {
+if (!detaint_natural($::FORM{attach_id})) {
DisplayError("Attachment ID should be numeric.");
exit;
}