diff -Nur p4db.orig/P4CGI.pm p4db/P4CGI.pm --- p4db.orig/P4CGI.pm Mon Apr 12 11:33:17 2004 +++ p4db/P4CGI.pm Tue Apr 20 15:06:56 2004 @@ -438,6 +438,11 @@ my ( $par, @command ) = @_; my $partype = ref $par ; push @ERRLOG,"p4call(<$partype>,@command)" ; + + # Unfortunately, we can't filter out " and >, since they're used to quote + # the arguments, and redirect output. Bummer. We'll just hope that everyone + # else filtered things OK. + &bail("Invalid P4 command @command") if ("$P4 @command" =~ /['`&;|<\!()\$\\]/); if(!$partype) { open( $par, "$P4 @command|" ) || &bail( "$P4 @command failed" ); return ; diff -Nur p4db.orig/SetPreferences.cgi p4db/SetPreferences.cgi --- p4db.orig/SetPreferences.cgi Mon Apr 12 11:28:37 2004 +++ p4db/SetPreferences.cgi Mon Apr 12 11:55:49 2004 @@ -14,6 +14,7 @@ ################################################################# my $newp = &P4CGI::cgi()->param("SET_PREFERENCES") ; +$newp = "Yes" if defined $newp; my $fullURL = &P4CGI::cgi()->url(-full=>1) ; if((defined $newp) and diff -Nur p4db.orig/branchView.cgi p4db/branchView.cgi --- p4db.orig/branchView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/branchView.cgi Mon Apr 12 11:55:49 2004 @@ -19,6 +19,7 @@ ### my $branch = P4CGI::cgi()->param("BRANCH") ; &P4CGI::bail("No branch specified") unless defined $branch ; +&P4CGI::bail("Invalid branch specified") if $branch =~ /[<>"&:;'`]/; ### diff -Nur p4db.orig/changeByUsers.cgi p4db/changeByUsers.cgi --- p4db.orig/changeByUsers.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeByUsers.cgi Wed Apr 21 09:37:10 2004 @@ -15,8 +15,11 @@ my $FSPC = &P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my $COMPLETE= &P4CGI::cgi()->param("COMPLETE") ; +&P4CGI::bail("Invalid COMPLETE flag.") + unless (!defined($COMPLETE) || ($COMPLETE =~ /^\w+^/)); my @legend ; diff -Nur p4db.orig/changeList.cgi p4db/changeList.cgi --- p4db.orig/changeList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeList.cgi Tue Apr 20 15:10:49 2004 @@ -96,6 +96,9 @@ $filespec = "//..." unless defined $filespec ; $filespec =~ s/\s*\+\s*\/\//\/\//g ; # replace +// with // # where is 0 or more whitespace charcaters + +&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/); + my @FSPC = map { if($_) { "//".$_ ; } @@ -107,6 +110,7 @@ # my $LABEL = P4CGI::cgi()->param("LABEL") ; if(defined $LABEL and $LABEL eq "-") { $LABEL = undef ; } ; +&P4CGI::bail("Invalid label.") if ($LABEL =~ /[<>"&:;'`]/); # # Check that FSPC or LABEL is specified @@ -120,18 +124,22 @@ # my $EXLABEL = &P4CGI::cgi()->param("EXLABEL") ; if(defined $EXLABEL and $EXLABEL eq "-") { $EXLABEL = undef ; } ; +&P4CGI::bail("Invalid label to exclude.") if ($EXLABEL =~ /[<>"&:;'`]/); # # Get status # my $STATUS = &P4CGI::cgi()->param("STATUS") ; unless(defined $STATUS) { $STATUS = "submitted" ; } ; +unless ($STATUS =~ /^\w+$/) { &P4CGI::bail("Invalid status."); }; # # Get max changes to display # my $MAXCH = P4CGI::cgi()->param("MAXCH") ; $MAXCH = &P4CGI::MAX_CHANGES() unless(defined $MAXCH) ; +unless ($MAXCH =~ /^\d+$/) { + &P4CGI::bail("Invalid value for the maximum number of changes ."); }; # # Get first change No. to display and offset from start @@ -140,7 +148,13 @@ my $CHOFFSET=0 ; if(defined $MAXCH) { $FIRSTCH = P4CGI::cgi()->param("FIRSTCH") ; + unless (!defined($FIRSTCH) || ($FIRSTCH =~ /^\d+$/)) { + &P4CGI::bail("Invalid value for the starting change number."); + } $CHOFFSET = P4CGI::cgi()->param("CHOFFSETDISP") ; + unless (!defined($CHOFFSET) || ($CHOFFSET =~ /^\d+$/)) { + &P4CGI::bail("Invalid value for the change number offset."); + } } @@ -152,7 +166,10 @@ # my $SEARCHDESC = &P4CGI::cgi()->param("SEARCHDESC") ; $SEARCHDESC=undef if defined $SEARCHDESC and $SEARCHDESC eq "" ; +&P4CGI::bail("Invalid search terms.") if ($SEARCHDESC =~ /[<>"&:;'`]/); + my $SEARCH_INVERT = &P4CGI::cgi()->param("SEARCH_INVERT") ; +&P4CGI::bail("Invalid search terms.") if ($SEARCH_INVERT =~ /[<>"&:;'`]/); my $USER = &P4CGI::cgi()->param("USER") ; { @@ -167,6 +184,8 @@ } } $USER=undef if defined $USER and $USER eq "" ; +&P4CGI::bail("Invalid user(s).") + unless (!defined($USER) || ($USER =~ /^\w+(,\w+)*$/)); my $GROUP = &P4CGI::cgi()->param("GROUP") ; { @@ -181,10 +200,11 @@ } } $GROUP=undef if defined $GROUP and $GROUP eq "" ; - +&P4CGI::bail("Invalid group(s).") if ($GROUP =~ /[<>"&:;'`]/); my $CLIENT = &P4CGI::cgi()->param("CLIENT") ; $CLIENT=undef if defined $CLIENT and $CLIENT eq "" ; +&P4CGI::bail("Invalid client specified.") if ($CLIENT =~ /[<>"&:;'`]/); ### ### Sub getChanges diff -Nur p4db.orig/changeView.cgi p4db/changeView.cgi --- p4db.orig/changeView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/changeView.cgi Mon Apr 12 11:55:49 2004 @@ -17,7 +17,9 @@ # Get file spec argument my $change = P4CGI::cgi()->param("CH") ; &P4CGI::bail("No change number specified") unless defined $change ; +&P4CGI::bail("Invalid change number specified") unless ($change =~ /^\d+$/); $change =~ /^\d+$/ or &P4CGI::bail("\"$change\" is not a positive number"); + my @desc ; my $currlev = &P4CGI::CURRENT_CHANGE_LEVEL() ; if($change > $currlev or $change < 1) { diff -Nur p4db.orig/clientList.cgi p4db/clientList.cgi --- p4db.orig/clientList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/clientList.cgi Wed Apr 21 09:38:25 2004 @@ -43,6 +43,9 @@ } my $user = P4CGI::cgi()->param("USER") ; +&P4CGI::bail("Invalid user specified.") + unless (!defined($user) || ($user =~ /^\w+$/)); + my $mode = P4CGI::cgi()->param("MODE") ; $mode = "Brief" unless (defined $mode) and ($mode eq "Complete") ; $mode = "Complete" if defined $user ; diff -Nur p4db.orig/clientView.cgi p4db/clientView.cgi --- p4db.orig/clientView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/clientView.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,8 @@ unless(defined $client) { &P4CGI::bail("No client specified!") ; } ; +&P4CGI::bail("Invalid client specified!") if ($client =~ /[<>"&:;'`]/); + # Get list of users and full names my @users ; diff -Nur p4db.orig/depotStats.cgi p4db/depotStats.cgi --- p4db.orig/depotStats.cgi Mon Apr 12 11:28:37 2004 +++ p4db/depotStats.cgi Mon Apr 12 11:55:49 2004 @@ -26,6 +26,7 @@ # my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ; $FSPC = "".join(" and ",@FSPC)."" ; my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ; diff -Nur p4db.orig/depotTreeBrowser.cgi p4db/depotTreeBrowser.cgi --- p4db.orig/depotTreeBrowser.cgi Mon Apr 12 11:28:37 2004 +++ p4db/depotTreeBrowser.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,7 @@ ### # * Get path from argument my $fspc = P4CGI::cgi()->param("FSPC") ; +&P4CGI::bail("Invalid file spec.") if ($fspc =~ /[<>"&:;'`]/); $fspc =~ s/\.\.\.$// if defined $fspc ; # Find out if we have multiple depots my @depots ; diff -Nur p4db.orig/fileDiffView.cgi p4db/fileDiffView.cgi --- p4db.orig/fileDiffView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileDiffView.cgi Mon Apr 12 11:55:49 2004 @@ -17,32 +17,40 @@ ################################################################# # Get file spec argument -my @files = split /,/,P4CGI::cgi()->param("FSPC") ; +my $FSPC = P4CGI::cgi()->param("FSPC") ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); +my @files = split /,/,$FSPC; &P4CGI::bail("No file specified") unless @files > 0 ; -my @revs = split / /,P4CGI::cgi()->param("REV") if defined P4CGI::cgi()->param("REV") ; +my $REV = P4CGI::cgi()->param("REV"); +my @revs = split / /,$REV if defined $REV; +&P4CGI::bail("Invalid file revisions.") unless ($REV =~ /^[0-9 ]*$/); $files[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs[0] = $2 ; } ; &P4CGI::bail("No revision specified") unless @revs > 0 ; -my @modes ; -@modes = split / /,P4CGI::cgi()->param("ACT") if defined P4CGI::cgi()->param("ACT") ; +my $ACT = P4CGI::cgi()->param("ACT"); +&P4CGI::bail("Invalid mode(s).") if ($ACT =~ /[<>"&:;'`]/); +my @modes = split / /,$ACT if defined $ACT; &P4CGI::bail("No mode specified") unless @modes > 0 ; -my @files2 ; -@files2 = - split /,/,P4CGI::cgi()->param("FSPC2") if defined P4CGI::cgi()->param("FSPC2") ; -my @revs2 ; -@revs2 = - split / /,P4CGI::cgi()->param("REV2") if defined P4CGI::cgi()->param("REV2") ; +my $FSPC2 = P4CGI::cgi()->param("FSPC2"); +&P4CGI::bail("Invalid file spec.") if ($FSPC2 =~ /[<>"&:;'`]/); +my @files2 = split /,/,$FSPC2 if defined $FSPC2; + +my $REV2 = P4CGI::cgi()->param("REV2"); +my @revs2 = split / /,$REV2 if defined $REV2; +&P4CGI::bail("Invalid revisions specified.") unless ($REV2 =~ /^[0-9 ]*$/); if(defined $files2[0]) { $files2[0] =~ s/^([^\#]+)\#(\d+)/$1/ and do { $revs2[0] = $2 ; } ; } ; my $change = P4CGI::cgi()->param("CH") ; +&P4CGI::bail("Invalid change specified.") unless ($change =~ /^[0-9]*$/); # Constants for the file diff display # $NCONTEXT - number of lines context before and after a diff my $NCONTEXT = P4CGI::cgi()->param("CONTEXT") ; +&P4CGI::bail("Invalid number of context lines.") unless ($NCONTEXT =~ /^[0-9]*$/); $NCONTEXT = 10 unless defined $NCONTEXT ; # $MAXCONTEXT - max number of lines context between diffs diff -Nur p4db.orig/fileDownLoad.cgi p4db/fileDownLoad.cgi --- p4db.orig/fileDownLoad.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileDownLoad.cgi Mon Apr 12 11:55:49 2004 @@ -17,12 +17,14 @@ # Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/); my $filename = $file ; $filename =~ s/.*\/// ; my $revision = P4CGI::cgi()->param("REV") ; &P4CGI::bail("No revision specified") unless defined $revision ; +&P4CGI::bail("Invalid revision specified") unless $revision =~ /^\d*$/; local *P4 ; diff -Nur p4db.orig/fileLogView.cgi p4db/fileLogView.cgi --- p4db.orig/fileLogView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileLogView.cgi Tue Apr 20 15:17:12 2004 @@ -34,14 +34,15 @@ # File argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file spec") unless defined $file ; +&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/); # Label x-reference argument my $listLabel = P4CGI::cgi()->param("LISTLAB") ; -$listLabel = "No" unless defined $listLabel ; +$listLabel = "No" unless defined $listLabel and $listLabel eq "Yes"; # Show branch info argument my $showBranch = P4CGI::cgi()->param("SHOWBRANCH") ; -$showBranch="No" unless defined $showBranch ; +$showBranch="No" unless defined $showBranch and $showBranch eq "Yes"; # Get file data my @filelog ; diff -Nur p4db.orig/fileOpen.cgi p4db/fileOpen.cgi --- p4db.orig/fileOpen.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileOpen.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,7 @@ # File argument my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ; $FSPC = "".join(" and ",@FSPC)."" ; my $FSPCcmd = "\"" . join("\" \"",@FSPC) . "\"" ; diff -Nur p4db.orig/fileSearch.cgi p4db/fileSearch.cgi --- p4db.orig/fileSearch.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileSearch.cgi Mon Apr 12 11:55:49 2004 @@ -17,11 +17,14 @@ # Get file spec argument my $filespec = P4CGI::cgi()->param("FSPC") ; $filespec = "" unless defined $filespec ; +&P4CGI::bail("Invalid file spec.") if ($filespec =~ /[<>"&:;'`]/); my $label = P4CGI::cgi()->param("LABEL") ; if(!defined $label) { $label = "" ; } +&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/); + my $filedesc ; my $showDiffSelection="Y" ; if($filespec eq "") { diff -Nur p4db.orig/fileViewer.cgi p4db/fileViewer.cgi --- p4db.orig/fileViewer.cgi Mon Apr 12 11:28:37 2004 +++ p4db/fileViewer.cgi Tue Apr 20 15:20:15 2004 @@ -31,6 +31,7 @@ my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/); my $ext = $file ; $ext =~ s/^.*\.// ; @@ -38,9 +39,11 @@ my $revision = P4CGI::cgi()->param("REV") ; # &P4CGI::bail("No revision specified") unless defined $revision ; $revision = "#$revision" if defined $revision ; -$revision="" unless defined $revision ; +$revision = "" unless defined $revision ; +&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d*$/); my $force = P4CGI::cgi()->param("FORCE") ; +$force = "Yes" if defined $force; # find out if p4br.perl is available, if true set smart diff -Nur p4db.orig/filesChangedSince.cgi p4db/filesChangedSince.cgi --- p4db.orig/filesChangedSince.cgi Mon Apr 12 11:28:37 2004 +++ p4db/filesChangedSince.cgi Mon Apr 12 11:55:49 2004 @@ -24,6 +24,7 @@ my $FSPC = P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @FSPC = split(/\s*\+?\s*(?=\/\/)/,$FSPC) ; my $WEEKS = P4CGI::cgi()->param("WEEKS") ; diff -Nur p4db.orig/groupView.cgi p4db/groupView.cgi --- p4db.orig/groupView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/groupView.cgi Mon Apr 12 11:55:49 2004 @@ -22,6 +22,8 @@ &P4CGI::bail("No group specified!") ; } ; +&P4CGI::bail("Invalid group.") if ($group =~ /[<>"&:;'`]/); + # Get real user names... my %userCvt ; { diff -Nur p4db.orig/htmlFileView.cgi p4db/htmlFileView.cgi --- p4db.orig/htmlFileView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/htmlFileView.cgi Mon Apr 12 11:55:49 2004 @@ -18,6 +18,7 @@ # Get type arg my $type = P4CGI::cgi()->param("TYPE") ; &P4CGI::bail("No file type specified") unless defined $type ; +&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/); my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ; @@ -28,10 +29,12 @@ # Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; + &P4CGI::bail("Invalid file spec.") if ($file =~ /[<>"&:;'`]/); my $revision = P4CGI::cgi()->param("REV") ; $revision = "#$revision" if defined $revision ; - $revision="" unless defined $revision ; + $revision = "" unless defined $revision ; + &P4CGI::bail("Invalid file spec.") unless ($revision =~ /^#?\d*$/); my $filename=$file ; $filename =~ s/^.*\///; diff -Nur p4db.orig/javaDataView.cgi p4db/javaDataView.cgi --- p4db.orig/javaDataView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/javaDataView.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,8 @@ # * Get path from argument my $cmd = P4CGI::cgi()->param("CMD") ; +&P4CGI::bail("Invalid command.") unless ($cmd =~ /^\w*$/); + my $err2null = &P4CGI::REDIRECT_ERROR_TO_NULL_DEVICE() ; local *P4 ; diff -Nur p4db.orig/jobList.cgi p4db/jobList.cgi --- p4db.orig/jobList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/jobList.cgi Mon Apr 12 11:55:49 2004 @@ -263,6 +263,7 @@ else { # Do we have "JOBVIEW"? my $jobview = &P4CGI::cgi()->param("JOBVIEW") ; + $jobview = "Yes" if defined $jobview; my $jobviewDesc ; if(defined $jobview) { $jobviewDesc = "Where jobview is: $jobview" ; @@ -275,6 +276,7 @@ my @selectParams = grep { /^FLD/ ; } P4CGI::cgi()->param ; my %params ; foreach (@selectParams) { + &P4CGI::bail("Invalid field parameter.") if (/[<>"&:;'`]/); my $v = $_ ; s/^FLD// ; my @pars = &P4CGI::cgi()->param($v) ; @@ -282,7 +284,7 @@ } # Set match all/any my $MATCHTYPE = &P4CGI::cgi()->param("MATCHTYPE") ; - $MATCHTYPE="all" unless defined $MATCHTYPE ; + $MATCHTYPE="all" unless defined $MATCHTYPE and $MATCHTYPE eq "any"; my $matchtype = "|" ; my $matchtypeDesc = "or" ; if($MATCHTYPE eq "all") { diff -Nur p4db.orig/jobView.cgi p4db/jobView.cgi --- p4db.orig/jobView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/jobView.cgi Mon Apr 12 11:55:49 2004 @@ -17,6 +17,7 @@ # Get file spec argument my $job = P4CGI::cgi()->param("JOB") ; &P4CGI::bail("No job specified") unless defined $job ; +&P4CGI::bail("Invalid job.") if ($job =~ /[<>"&:;'`]/); # Create title print "", &P4CGI::start_page("Job $job","") ; diff -Nur p4db.orig/labelDiffView.cgi p4db/labelDiffView.cgi --- p4db.orig/labelDiffView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/labelDiffView.cgi Mon Apr 12 11:55:49 2004 @@ -23,6 +23,9 @@ &P4CGI::error("No first label specified") unless defined $LABEL1 ; &P4CGI::error("No second label specified") unless defined $LABEL2 ; +&P4CGI::bail("Invalid first label.") if ($LABEL1 =~ /[<>"&:;'`]/); +&P4CGI::bail("Invalid second label.") if ($LABEL2 =~ /[<>"&:;'`]/); + # defined if files that are the same in both labels # should be listed my $SHOWSAME = P4CGI::cgi()->param("SHOWSAME") ; diff -Nur p4db.orig/labelView.cgi p4db/labelView.cgi --- p4db.orig/labelView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/labelView.cgi Mon Apr 12 11:55:49 2004 @@ -16,6 +16,7 @@ # Get label my $label = P4CGI::cgi()->param("LABEL") ; &P4CGI::bail("No label specified") unless defined $label ; +&P4CGI::bail("Invalid label.") if ($label =~ /[<>"&:;'`]/); my $found ; # Get list of all labels and also check that supplied label exists diff -Nur p4db.orig/searchPattern.cgi p4db/searchPattern.cgi --- p4db.orig/searchPattern.cgi Mon Apr 12 11:28:37 2004 +++ p4db/searchPattern.cgi Mon Apr 12 11:55:49 2004 @@ -15,6 +15,7 @@ my $FSPC = &P4CGI::cgi()->param("FSPC") ; $FSPC = "//..." unless defined $FSPC ; +&P4CGI::bail("Invalid file spec.") if ($FSPC =~ /[<>"&:;'`]/); my @legend ; diff -Nur p4db.orig/specialFileView.cgi p4db/specialFileView.cgi --- p4db.orig/specialFileView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/specialFileView.cgi Mon Apr 12 11:55:49 2004 @@ -21,14 +21,17 @@ # Get type arg my $type = P4CGI::cgi()->param("TYPE") ; &P4CGI::bail("No file type specified") unless defined $type ; +&P4CGI::bail("Invalid file type.") if ($type =~ /[<>"&:;'`]/); # Get file spec argument my $file = P4CGI::cgi()->param("FSPC") ; &P4CGI::bail("No file specified") unless defined $file ; +&P4CGI::bail("Invalid file.") if ($file =~ /[<>"&:;'`]/); my $revision = P4CGI::cgi()->param("REV") ; $revision = "#$revision" if defined $revision ; $revision="" unless defined $revision ; +&P4CGI::bail("Invalid revision.") unless ($revision =~ /^#?\d*$/); my ($url,$desc,$content,$about) = @{$viewConfig::TypeData{$type}} ; &P4CGI::bail("Undefined type code") unless defined $url ; diff -Nur p4db.orig/userList.cgi p4db/userList.cgi --- p4db.orig/userList.cgi Mon Apr 12 11:28:37 2004 +++ p4db/userList.cgi Mon Apr 12 11:55:49 2004 @@ -16,6 +16,7 @@ my $GROUPSONLY = P4CGI::cgi()->param("GROUPSONLY") ; +$GROUPSONLY = "Y" if defined $GROUPSONLY; sub weeksago($$$ ) { my ($y,$m,$d) = @_ ; diff -Nur p4db.orig/userView.cgi p4db/userView.cgi --- p4db.orig/userView.cgi Mon Apr 12 11:28:37 2004 +++ p4db/userView.cgi Mon Apr 12 11:55:49 2004 @@ -19,6 +19,8 @@ unless(defined $user) { &P4CGI::bail("No user specified!") ; } ; +&P4CGI::bail("Invalid user.") unless ($user =~ /^\w+$/); + # List all users my @userData ;