50297 – Bugzilla suffers a taint issue when viewing bug 48333 while being logged out

Bug 50297 - Bugzilla suffers a taint issue when viewing bug 48333 while being logged out

Summary: Bugzilla suffers a taint issue when viewing bug 48333 while being logged out

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	web (show other bugs)
Version:	unknown

Importance:	P3 major
Target Milestone:	---
Assignee:	Frédéric Buclin

URL:	http://gcc.gnu.org/PR48333
Keywords:

Depends on:
Blocks:

Reported:	2011-09-05 17:24 UTC by Dmitry Gorbachev
Modified:	2012-01-17 23:04 UTC (History)
CC List:	0 users

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2011-09-28 00:00:00

Attachments
Ugly hack (685 bytes, patch) 2011-09-29 22:22 UTC, Frédéric Buclin	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry Gorbachev 2011-09-05 17:24:05 UTC

Trying to access that bug report, I receive:

undef error - Insecure dependency in parameter 3 of DBI::db=HASH(0x9c9091c)->selectrow_hashref method call while running with -T switch at Bugzilla/Object.pm line 93.

It only happens when I'm not logged in to Bugzilla.

Comment 1 Frédéric Buclin 2011-09-28 18:01:05 UTC

Confirmed. I'll investigate.

Comment 2 Frédéric Buclin 2011-09-28 18:28:31 UTC

I just enabled Bugzilla debug mode, and the relevant error is:

undef error - Insecure dependency in parameter 3 of DBI::db=HASH(0xb097df4)->selectrow_hashref method call while running with -T switch at Bugzilla/Object.pm line 93. at Bugzilla/Object.pm line 93 Bugzilla::Object::_init('Bugzilla::Attachment', 23798) called at Bugzilla/Object.pm line 58 Bugzilla::Object::new('Bugzilla::Attachment', 23798) called at Bugzilla/Template.pm line 274 Bugzilla::Template::get_attachment_link(23798, 'attachment 23798 [details]') called at Bugzilla/Template.pm line 230 Bugzilla::Template::quoteUrls('Created attachment 23798 [details]\x{a}partially reduced testcase\x{a}\x{a}Compiler...', 'Bugzilla::Bug=HASH(0xb180258)', 'Bugzilla::Comment=HASH(0xb3a22a4)') called at Bugzilla/Template.pm line 698 Bugzilla::Template::__ANON__('Created attachment 23798 [details]\x{a}partially reduced testcase\x{a}\x{a}Compiler...') called at template/en/default/bug/comments.html.tmpl line 188 eval {...} called at template/en/default/bug/comments.html.tmpl line 121

Comment 3 Frédéric Buclin 2011-09-28 19:19:28 UTC

This is totally crazy. Perl complains that the attachment ID is tainted if you are logged out, but not if you are logged in. And the error comes right *after* a call to detaint_natural(), whose job is to detaint the data!! I suspect this is a bug in Perl 5.8.5 itself. I cannot reproduce with Perl 5.12.3.

Comment 4 Frédéric Buclin 2011-09-28 19:38:40 UTC

The error doesn't occur with all bugs having attachments in them. For instance, I could view bug 28382 without any problem. So the good news is that this problem seems to affect a few bugs at most.

Comment 5 Frédéric Buclin 2011-09-29 22:22:56 UTC

Created attachment 25385 [details]
Ugly hack

Here is a ugly hack which fixes the problem. This code is not necessary on my local installations so this is not something I'm going to apply upstream (but you don't care).

Comment 6 Frédéric Buclin 2011-09-29 22:23:27 UTC

I fixed both Sources and GCC Bugzilla.