Bug 406671 - 4.20: make doeditparams.cgi smarter to strongly validate input
4.20: make doeditparams.cgi smarter to strongly validate input
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
All Linux
low Severity medium (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2007-11-30 12:12 EST by David Lawrence
Modified: 2013-06-23 22:14 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-07-19 01:25:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2007-11-30 12:12:57 EST
defparams -> Bugzilla

Kevin Baker
Comment 1 Noura El hawary 2007-12-12 09:51:54 EST

defparams -> Bugzilla::Config -> doeditparams has no way of telling if a param
should be an integer value let alone an
integer range. What is needed is a superior way of confining a parameter to a
value type and a range of values.


This is a problem in 2.18, don't know if it is still an issue in 3.0.


Use Params::Validate to check input. Work this into the upstream


Comment 2 Noura El hawary 2007-12-12 09:52:33 EST
3.0 still treats integers as single line text values but they have a
checker function called check_numeric
that we could utilize for now.

sub check_numeric {
my ($value) = (@_);
if ($value !~ /^[0-9]+$/) {
return "must be a numeric value";
return "";

Add that to defparams.pl and then in the cookie_expire_days section make it

name => 'cookie_expire_days',
desc => 'Number of days before the stored session cookies will
expire. Also determines the ' .
'number of days that internal code will clean out stale
cookies if older than lastused value.',
type => 't',
default => '',
checker => \&check_numeric,

doeditparams.cgi should pick this up and error if the value is not
positive integer.
Comment 3 David Lawrence 2008-08-18 17:11:07 EDT
Voting for future Bugzilla features will be opening soon. Announcement of start date will be posted to the bugzilla-development-list@redhat.com and other broader audience.

Comment 4 David Lawrence 2010-01-15 12:32:29 EST
Red Hat Bugzilla is now using version 3.4 of the Bugzilla codebase and
therefore this feature will need to be implemented against the new release.
Updating bug version to 3.2.
Comment 5 David Lawrence 2010-08-25 17:40:36 EDT
Red Hat has now upgraded to Bugzilla 3.6 and this bug will now be reassigned to that version. It would be helpful to the Bugzilla Development Team if this bug is verified to still be an issue with the latest version. If it is no longer an issue, then feel free to close, otherwise please comment that it is still a problem and we will try to address the issue as soon as we can.

Bugzilla Development Team
Comment 7 Jeff Fearn 2012-05-30 00:37:36 EDT
As part of the recent Bugzilla 2.4 upgrade the Bugzilla team are cleaning up bugs opened against old versions of Bugzilla. This bug has been flagged as an old bug and will be CLOSED WONTFIX in 7 days time.

If you believe this bug is an issue in the latest Bugzilla version please comment on this bug within 7 days. Doing so will ensure this bug is not closed automatically.

Thanks, the Bugzilla team.
Comment 8 Jeff Fearn 2012-07-19 01:25:25 EDT
As noted previously, the Bugzilla Team is cleaning up a large number of outstanding issues that have bit rotted. This bug is being closed as there has been no response to that notification.

If you believe this bug is still important please reopen this bug in the NEW status and PM will consider it.

Note You need to log in before you can comment on or make changes to this bug.