diff options
| author |   mkanat%bugzilla.org <> | 2009-09-11 16:15:43 +0000 |
|---|---|---|
| committer | mkanat%bugzilla.org <> | 2009-09-11 16:15:43 +0000 |
| commit | 73459a43851cc54c9d811fad6b58661f49edb3df (patch) | |
| tree | 94f7e5a54592962bc16671b6db963f094e5aa8a2 | |
| parent | Bug 515804: Release Notes for Bugzilla 3.2.5 (diff) | |
| download | bugzilla-73459a43851cc54c9d811fad6b58661f49edb3df.tar.gz bugzilla-73459a43851cc54c9d811fad6b58661f49edb3df.tar.bz2 bugzilla-73459a43851cc54c9d811fad6b58661f49edb3df.zip | |
Bug 515191: [SECURITY] SQL Injection via Bug.create (CVE-2009-3165)
| -rw-r--r-- | Bugzilla/Object.pm | 13 | ||||
| -rw-r--r--[-rwxr-xr-x] | Bugzilla/WebService/Constants.pm | 2 | ||||
| -rw-r--r-- | template/en/default/global/code-error.html.tmpl | 5 |
3 files changed, 20 insertions, 0 deletions
diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index d616bb2da..7f39b81f6 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -157,6 +157,7 @@ sub match { my (@terms, @values); foreach my $field (keys %$criteria) { + $class->_check_field($field, 'match'); my $value = $criteria->{$field}; if (ref $value eq 'ARRAY') { # IN () is invalid SQL, and if we have an empty list @@ -300,6 +301,17 @@ sub create { return $object; } +# Used to validate that a field name is in fact a valid column in the +# current table before inserting it into SQL. +sub _check_field { + my ($invocant, $field, $function) = @_; + my $class = ref($invocant) || $invocant; + if (!Bugzilla->dbh->bz_column_info($class->DB_TABLE, $field)) { + ThrowCodeError('param_invalid', { param => $field, + function => "${class}::$function" }); + } +} + sub check_required_create_fields { my ($class, $params) = @_; @@ -342,6 +354,7 @@ sub insert_create_data { my (@field_names, @values); while (my ($field, $value) = each %$field_values) { + $class->_check_field($field, 'create'); push(@field_names, $field); push(@values, $value); } diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 98597a98e..078d76e1d 100755..100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -52,6 +52,8 @@ use constant WS_ERROR_CODE => { object_name_not_specified => 50, param_required => 50, object_does_not_exist => 51, + # Error 52 exists only in later releases. + param_invalid => 53, # Bug errors usually occupy the 100-200 range. improper_bug_id_field_value => 100, bug_id_does_not_exist => 101, diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index bb07068ec..ed5ddc0c9 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -318,6 +318,11 @@ There is no valid transition from [%+ get_status("UNCONFIRMED") FILTER html %] to an open state. + [% ELSIF error == "param_invalid" %] + [% title = "Invalid Parameter" %] + <code>[% param FILTER html %]</code> is not a valid parameter + for the [% function FILTER html %] function. + [% ELSIF error == "param_must_be_numeric" %] [% title = "Invalid Parameter" %] Invalid parameter passed to [% function FILTER html %]. |