we know that the statement is ok; use $1 to avoid taint issues

[debbugs.git] / Debbugs / CGI / Pkgreport.pm

diff --git a/Debbugs/CGI/Pkgreport.pm b/Debbugs/CGI/Pkgreport.pm
index 696a9e015c382c29555f772b7db61454e32ed5a9..523dbbb90a6a909d9043a4e949836dc9c35624b6 100644 (file)
--- a/Debbugs/CGI/Pkgreport.pm
+++ b/Debbugs/CGI/Pkgreport.pm
@@ -471,20 +471,22 @@ sub parse_order_statement_into_boolean {
     $statement =~ s/\+/&&/g;
     # replace all , with ||
     $statement =~ s/,/||/g;
-    $statement =~ s{(?<field>[^\&\|\=]+)=(?<value>[^\&\|\=]+)}
-              {
+    $statement =~ s{([^\&\|\=]+) # field
+                    =
+                    ([^\&\|\=]+) # value
+              }{
                   my $ok = 0;
-                  if ($+{field} eq 'tag') {
-                      $ok = 1 if defined $tags->{$+{value}};
+                  if ($1 eq 'tag') {
+                      $ok = 1 if defined $tags->{$2};
                   } else {
-                      $ok = 1 if defined $status->{$+{field}} and
-                          $status->{$+{field}} eq $+{value};
+                      $ok = 1 if defined $status->{$1} and
+                          $status->{$1} eq $2;
                   }
                   $ok;
               }exg;
     # check that the parsed statement is just valid boolean statements
     if ($statement =~ /^([01\(\)\&\|]+)$/) {
-        return eval "$statement";
+        return eval "$1";
     } else {
         # this is an invalid boolean statement
         return 0;