406671 – 4.20: make doeditparams.cgi smarter to strongly validate input

Bug 406671 - 4.20: make doeditparams.cgi smarter to strongly validate input

Summary: 4.20: make doeditparams.cgi smarter to strongly validate input

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Bugzilla
Classification:	Community
Component:	Bugzilla General
Sub Component:
Version:	3.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	PnT DevOps Devs
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-30 17:12 UTC by David Lawrence
Modified:	2013-06-24 02:14 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-19 05:25:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2007-11-30 17:12:57 UTC

Description:
defparams -> Bugzilla

Requester:
Kevin Baker

Comment 1 Noura El hawary 2007-12-12 14:51:54 UTC

Problem:

defparams -> Bugzilla::Config -> doeditparams has no way of telling if a param
should be an integer value let alone an
integer range. What is needed is a superior way of confining a parameter to a
value type and a range of values.

Homework:

This is a problem in 2.18, don't know if it is still an issue in 3.0.


Solution:

Use Params::Validate to check input. Work this into the upstream

Target:

Comment 2 Noura El hawary 2007-12-12 14:52:33 UTC

3.0 still treats integers as single line text values but they have a
checker function called check_numeric
that we could utilize for now.

sub check_numeric {
my ($value) = (@_);
if ($value !~ /^[0-9]+$/) {
return "must be a numeric value";
}
return "";
}

Add that to defparams.pl and then in the cookie_expire_days section make it

{
name => 'cookie_expire_days',
desc => 'Number of days before the stored session cookies will
expire. Also determines the ' .
'number of days that internal code will clean out stale
cookies if older than lastused value.',
type => 't',
default => '',
checker => \&check_numeric,
},

doeditparams.cgi should pick this up and error if the value is not
positive integer.

Comment 3 David Lawrence 2008-08-18 21:11:07 UTC

Voting for future Bugzilla features will be opening soon. Announcement of start date will be posted to the bugzilla-development-list and other broader audience.

Dave

Comment 4 David Lawrence 2010-01-15 17:32:29 UTC

Red Hat Bugzilla is now using version 3.4 of the Bugzilla codebase and
therefore this feature will need to be implemented against the new release.
Updating bug version to 3.2.

Comment 5 David Lawrence 2010-08-25 21:40:36 UTC

Red Hat has now upgraded to Bugzilla 3.6 and this bug will now be reassigned to that version. It would be helpful to the Bugzilla Development Team if this bug is verified to still be an issue with the latest version. If it is no longer an issue, then feel free to close, otherwise please comment that it is still a problem and we will try to address the issue as soon as we can.

Thanks
Bugzilla Development Team

Comment 7 Jeff Fearn 🐞 2012-05-30 04:37:36 UTC

As part of the recent Bugzilla 2.4 upgrade the Bugzilla team are cleaning up bugs opened against old versions of Bugzilla. This bug has been flagged as an old bug and will be CLOSED WONTFIX in 7 days time.

If you believe this bug is an issue in the latest Bugzilla version please comment on this bug within 7 days. Doing so will ensure this bug is not closed automatically.

Thanks, the Bugzilla team.

Comment 8 Jeff Fearn 🐞 2012-07-19 05:25:25 UTC

As noted previously, the Bugzilla Team is cleaning up a large number of outstanding issues that have bit rotted. This bug is being closed as there has been no response to that notification.

If you believe this bug is still important please reopen this bug in the NEW status and PM will consider it.

Note You need to log in before you can comment on or make changes to this bug.