Fix for bug 154008: some basic (but incomplete) maintenance on bug_email.pl, also fixes a possible security hole with a misuse

of a system() call.
Patches by Erik Anderson <erikba@teamworkgroup.com> and Brad Baetz <bbaetz@student.usyd.edu.au>
r= myk, justdave

2 files changed, 25 insertions, 14 deletions

diff --git a/contrib/bug_email.pl b/contrib/bug_email.pl
index da0f11308..27b6098d0 100755
--- a/contrib/bug_email.pl
+++ b/contrib/bug_email.pl
@@ -37,7 +37,7 @@
 #
 # You need to work with bug_email.pl the MIME::Parser installed.
 # 
-# $Id: bug_email.pl,v 1.9 2001/05/25 12:48:47 jake%acutex.net Exp $
+# $Id: bug_email.pl,v 1.9.10.1 2002/07/25 01:47:50 justdave%syndicomm.com Exp $
 ###############################################################
 
 # 02/12/2000 (SML)
@@ -70,7 +70,9 @@ use diagnostics;
 use strict;
 use MIME::Parser;
 
-push @INC, "../."; # this script now lives in contrib
+chdir '..';        # this script lives in contrib
+push @INC, "contrib/.";
+push @INC, ".";
 
 require "globals.pl";
 require "BugzillaEmail.pm";
@@ -736,10 +738,10 @@ my $parser = new MIME::Parser;
 
 # Create and set the output directory:
 # FIXME: There should be a $BUGZILLA_HOME variable (SML)
-(-d "../data/mimedump-tmp") or mkdir "../data/mimedump-tmp",0755 or die "mkdir: $!";
-(-w "../data/mimedump-tmp") or die "can't write to directory";
+(-d "data/mimedump-tmp") or mkdir "data/mimedump-tmp",0755 or die "mkdir: $!";
+(-w "data/mimedump-tmp") or die "can't write to directory";
 
-$parser->output_dir("../data/mimedump-tmp");
+$parser->output_dir("data/mimedump-tmp");
     
 # Read the MIME message:
 my $entity = $parser->read(\*STDIN) or die "couldn't parse MIME stream";
@@ -1230,11 +1232,17 @@ END
 	SendSQL("select LAST_INSERT_ID()");
 	$id = FetchOneColumn();
 
-	my $long_desc_query = "INSERT INTO longdescs SET bug_id=$id, who=$userid, bug_when=\'$bug_when\', thetext=" . SqlQuote($comment);
-	SendSQL($long_desc_query);
-
-	# Cool, the mail was successfull
-	system("cd .. ; ./processmail $id '$Sender'");
+        my $long_desc_query = "INSERT INTO longdescs SET bug_id=$id, who=$userid, bug_when=\'$bug_when\', thetext=" . SqlQuote($comment);
+        SendSQL($long_desc_query);
+
+        # Cool, the mail was successful
+        # chdir back to the main directory which has the processmail script
+        # Oh, for a processmail module....
+        use Cwd;
+        my $old_cwd = getcwd();
+        chdir("..");
+        system("./processmail", $id, $SenderShort);
+        chdir($old_cwd);
     } else {
 	$id = 0xFFFF;  # TEST !
 	print "\n-------------------------------------------------------------------------\n";
diff --git a/contrib/bugzilla_email_append.pl b/contrib/bugzilla_email_append.pl
index b10d8e030..826b49198 100755
--- a/contrib/bugzilla_email_append.pl
+++ b/contrib/bugzilla_email_append.pl
@@ -32,7 +32,9 @@ use diagnostics;
 use strict;
 use MIME::Parser;
 
-push @INC, "../."; # this script lives in contrib
+chdir "..";        # this script lives in contrib, change to main
+push @INC, "contrib";
+push @INC, "."; # this script lives in contrib
 require "globals.pl";
 require "BugzillaEmail.pm";
 
@@ -43,10 +45,10 @@ my $Comment = "";
 
 # Create and set the output directory:
 # FIXME: There should be a $BUGZILLA_HOME variable (SML)
-(-d "../data/mimedump-tmp") or mkdir "../data/mimedump-tmp",0755 or die "mkdir: $!";
-(-w "../data/mimedump-tmp") or die "can't write to directory";
+(-d "data/mimedump-tmp") or mkdir "data/mimedump-tmp",0755 or die "mkdir: $!";
+(-w "data/mimedump-tmp") or die "can't write to directory";
 
-$parser->output_dir("../data/mimedump-tmp");
+$parser->output_dir("data/mimedump-tmp");
     
 # Read the MIME message:
 my $entity = $parser->read(\*STDIN) or die "couldn't parse MIME stream";
@@ -120,6 +122,7 @@ system("cd .. ; ./processmail $found_id '$SenderShort'");
 sub DealWithError {
   my ($reason) = @_;
   print $reason . "\n";
+  exit 100;
 }
 
 # Yanking this wholesale from bug_email, 'cause I know this works.  I'll