From: Ulf E. <ulf...@fa...> - 2005-02-20 18:47:25
|
* Ulf Erikson [2005-02-17 23:26]: > The easiest way I know to access web-sites from the command line is by > using cURL. There should be bindings to cURL-lib from languages such as > python and perl. Attached is a small bash script to show how easy it is > to report and comment on bugs this way. Here is a similar script using Perl::LWP. Making this script insert bugs from a CSV should be pretty easy. (only real problem will be that so much has to be integers..) > I've got another question: When I post changes this way, not using the > web-forms, do all restrictions still apply? What about safe-guarding > against bad data? Some invalid values seem to make a bug invisible.. Are the security issues mentioned earlier really fixed? http://sourceforge.net/mailarchive/forum.php?thread_id=4376593&forum_id=3188 The patch I find that adresses this is: http://cvs.sourceforge.net/viewcvs.py/phpbt/phpbt/bug.php?view=log#rev1.134.2.3 It seems to checks that bugid is an integer and it quotes a few SQL queries. Still everything in inc/db/*.php are unquoted queries. My feeling is that one can still issue SQL queries from remote by sending faked forms. (simply adding commands to the URL by hand or using scripts like these instead of using the intended web-form) -- Ulf |