Closed
Bug 38870
Opened 25 years ago
Closed 23 years ago
Can attach to an invalid bug number
Categories
(Bugzilla :: Creating/Changing Bugs, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: jruderman, Assigned: myk)
References
()
Details
i'm submitting this because "you have an error in your sql syntax" sounds like
a bad (potentially security-compromising) bug, not because i expect "eliminate
all sql errors in bugzilla" to happen any time soon.
Attachment to bug 1111000 created
Content-type: text/html
Software error:
select login_name from profiles where userid = : You have an error in your SQL
syntax near '' at line 1 at globals.pl line 133.
Please send mail to this site's webmaster for help.
Reporter | ||
Comment 2•25 years ago
|
||
i stumbled onto http://bugzilla.mozilla.org/sanitycheck.cgi today and noticed
the number 1111000 as one of the errors listed.
Reporter | ||
Comment 3•25 years ago
|
||
the problem is that createattachment.cgi doesn't make sure the bug exists. it
seems to check to make sure the bug number is in fact a number.
Comment 5•24 years ago
|
||
Doesn't mysql support referential transparency? I didn't think this should have
been allowed to happen ...
Bug #39557 is related.
Updated•24 years ago
|
Whiteboard: 2.14
Updated•24 years ago
|
Whiteboard: 2.14 → 2.16
Comment 7•23 years ago
|
||
I meant "refential integrity" above of course. Pity the answer's no.
Priority: P3 → P1
Whiteboard: 2.16
Comment 8•23 years ago
|
||
I think this one can probably be closed now... Bugzilla does check for valid bug
numbers before it does anything [part of the permission checking procedure in
ValidateBugID()].
Assignee: tara → myk
Component: Bugzilla → Creating/Changing Bugs
Product: Webtools → Bugzilla
Version: other → unspecified
Comment 9•23 years ago
|
||
I just tried this, and I was able to create an attachment to a non existent bug
(filed bug #98098 for cleanup).
It allows this both in that it pops up a UI, and that it does the actual
attachment.
Comment 10•23 years ago
|
||
New attachment interface does not have this problem.
Depends on: 109480
Summary: sql syntax error when submitting attachment to bug 1111000 → Can attach to an invalid bug number
Assignee | ||
Comment 11•23 years ago
|
||
The old attachment interface has been removed per bug 109480. Resolving this
bug fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•