Adding a column to an Object in an Extension
Max Kanat-Alexander
mkanat at bugzilla.org
Mon Sep 12 23:37:21 UTC 2011
> my $input = Bugzilla->input_params;
> my $group_id = $input->{'group_id'};
> trick_taint($group_id);
> $params->{group_id} = $group_id;
FWIW, you should not be untainting group id here, you should be
untainting it in a validator, if untainting is even required.
> if ($object->isa('Bugzilla::Field::Choice')) {
> my $input = Bugzilla->input_params;
> if ($object->{group_id} != $input->{'group_id'}) {
> my $group_id = $input->{'group_id'};
> trick_taint($group_id);
> $object->{group_id} = $group_id;
> }
> }
This code should not be in object_end_of_set. In fact, as far as I can
see, you shouldn't have *any* code in object_end_of_set. This looks like
code that belongs in a validator instead, and this isn't even a valid
validation. I could pass in any number here and it would take it.
Also, it looks like your object_validators hook references some
function called _check_group_id, but I don't see that here.
> sub object_end_of_set_all {
It's possible that editvalues.cgi isn't using set_all, and that it
should be.
-Max
--
Max Kanat-Alexander
Chief Architect, Community Lead, and Release Manager
Bugzilla Project
http://www.bugzilla.org/
More information about the developers
mailing list