[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gforge-commits] gforge/common/frs FRSFile.class,1.11,1.12
From: |
mpeltier |
Subject: |
[Gforge-commits] gforge/common/frs FRSFile.class,1.11,1.12 |
Date: |
Sat, 11 Dec 2004 18:08:12 -0600 |
Update of /cvsroot/gforge/gforge/common/frs
In directory db.perdue.net:/tmp/cvs-serv12916/common/frs
Modified Files:
FRSFile.class
Log Message:
Fixed hopefully security pb introduced by my last commit (reported by Tim):
check that the new package and release id are ok and belong to the
same project before doing the update.
Index: FRSFile.class
===================================================================
RCS file: /cvsroot/gforge/gforge/common/frs/FRSFile.class,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- FRSFile.class 10 Dec 2004 00:22:40 -0000 1.11
+++ FRSFile.class 12 Dec 2004 00:08:09 -0000 1.12
@@ -321,10 +321,11 @@
* @param int The type_id of this file from the
frs-file-types table.
* @param int The processor_id of this file from the
frs-processor-types table.
* @param int The release_date of this file in unix time
(seconds).
+ * @param int The package_id of the package the release of
this file belongs to.
* @param int The release_id of the release this file belongs
to.
* @return boolean success.
*/
- function update($type_id,$processor_id,$release_time,$release_id) {
+ function
update($type_id,$processor_id,$release_time,$package_id,$release_id) {
$perm =& $this->FRSRelease->FRSPackage->Group->getPermission(
session_get_user() );
if (!$perm || !is_object($perm) ||
!$perm->isReleaseTechnician()) {
@@ -332,6 +333,22 @@
return false;
}
+ // Does the new package id value really correspond to a package
of this group?
+ $frsp = new
FRSPackage($this->FRSRelease->FRSPackage->Group,$package_id);
+ if (!$frsp || !is_object($frsp)) {
+ exit_error('Error','Could Not Get New FRSPackage');
+ } elseif ($frsp->isError()) {
+ exit_error('Error',$frsp->getErrorMessage());
+ }
+
+ // Does the new release id value really correspond to a release
of the new package?
+ $frsr = new FRSRelease($frsp,$release_id);
+ if (!$frsr || !is_object($frsr)) {
+ exit_error('Error','Could Not Get New FRSRelease');
+ } elseif ($frsr->isError()) {
+ exit_error('Error',$frsr->getErrorMessage());
+ }
+
$res=db_query("UPDATE frs_file SET
type_id='$type_id',
processor_id='$processor_id',
@@ -345,9 +362,7 @@
}
return true;
-
}
-
}
?>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gforge-commits] gforge/common/frs FRSFile.class,1.11,1.12,
mpeltier <=