From ffd6464c9efa12cbe4fa40d7fa89d01dfdc73e51 Mon Sep 17 00:00:00 2001 From: "gerv%gerv.net" Date: Thu, 26 Sep 2002 23:25:12 +0000 Subject: [PATCH] Bug 170986 - General Summary reports don't work with taint checking. Also fixes Throw*Error's $extra_vars parameter. Patch by gerv; r=bbaetz. git-svn-id: svn://10.0.0.236/trunk@130545 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/webtools/bugzilla/CGI.pl | 12 ++++++++---- mozilla/webtools/bugzilla/globals.pl | 2 ++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/mozilla/webtools/bugzilla/CGI.pl b/mozilla/webtools/bugzilla/CGI.pl index b9504983b11..d6c040978e8 100644 --- a/mozilla/webtools/bugzilla/CGI.pl +++ b/mozilla/webtools/bugzilla/CGI.pl @@ -854,8 +854,10 @@ sub ThrowCodeError { SendSQL("UNLOCK TABLES") if $unlock_tables; # Copy the extra_vars into the vars hash - @::vars{keys %$extra_vars} = values %$extra_vars; - + foreach my $var (keys %$extra_vars) { + $vars->{$var} = $extra_vars->{$var}; + } + # We may one day log something to file here also. $vars->{'variables'} = $extra_vars; @@ -873,8 +875,10 @@ sub ThrowUserError { SendSQL("UNLOCK TABLES") if $unlock_tables; # Copy the extra_vars into the vars hash - @::vars{keys %$extra_vars} = values %$extra_vars; - + foreach my $var (keys %$extra_vars) { + $vars->{$var} = $extra_vars->{$var}; + } + print "Content-type: text/html\n\n" if !$vars->{'header_done'}; $template->process("global/user-error.html.tmpl", $vars) || ThrowTemplateError($template->error()); diff --git a/mozilla/webtools/bugzilla/globals.pl b/mozilla/webtools/bugzilla/globals.pl index 64031bc8534..a6a75156284 100644 --- a/mozilla/webtools/bugzilla/globals.pl +++ b/mozilla/webtools/bugzilla/globals.pl @@ -1637,6 +1637,8 @@ sub GetFormat { # Security - allow letters and a hyphen only $ctype =~ s/[^a-zA-Z\-]//g; $format =~ s/[^a-zA-Z\-]//g; + trick_taint($ctype); + trick_taint($format); $template .= ($format ? "-$format" : ""); $template .= ".$ctype.tmpl";