Bugzilla::Util - Generic utility functions for bugzilla


  use Bugzilla::Util;

  # Functions for dealing with variable tainting
  $rv = is_tainted($var);

  # Functions for quoting

  # Functions for decoding
  $rv = url_decode($var);

  # Functions that tell you about your environment
  my $is_cgi   = i_am_cgi();
  my $net_addr = get_netaddr($ip_addr);
  my $urlbase  = correct_urlbase();

  # Functions for searching
  $loc = lsearch(\@arr, $val);

  # Data manipulation
  ($removed, $added) = diff_arrays(\@old, \@new);

  # Functions for manipulating strings
  $val = trim(" abc ");
  ($removed, $added) = diff_strings($old, $new);
  $wrapped = wrap_comment($comment);

  # Functions for formatting time

  # Functions for dealing with files
  $time = file_mod_time($filename);

  # Cryptographic Functions
  $crypted_password = bz_crypt($password);
  $new_password = generate_random_password($password_length);

  # Validation Functions


This package contains various utility functions which do not belong anywhere else.

It is not intended as a general dumping group for something which people feel might be useful somewhere, someday. Do not add methods to this package unless it is intended to be used for a significant number of files, and it does not belong anywhere else.


This package provides several types of routines:


Several functions are available to deal with tainted variables. Use these with care to avoid security holes.


Determines whether a particular variable is tainted


Tricks perl into untainting a particular variable.

Use trick_taint() when you know that there is no way that the data in a scalar can be tainted, but taint mode still bails on it.

WARNING!! Using this routine on data that really could be tainted defeats the purpose of taint mode. It should only be used on variables that have been sanity checked in some way and have been determined to be OK.


This routine detaints a natural number. It returns a true value if the value passed in was a valid natural number, else it returns false. You MUST check the result of this routine to avoid security holes.


This routine detaints a signed integer. It returns a true value if the value passed in was a valid signed integer, else it returns false. You MUST check the result of this routine to avoid security holes.


Some values may need to be quoted from perl. However, this should in general be done in the template where possible.


Returns a value quoted for use in HTML, with &, <, >, and " being replaced with their appropriate HTML entities.


Returns a string where only explicitly allowed HTML elements and attributes are kept. All HTML elements and attributes not being in the whitelist are either escaped (if HTML::Scrubber is not installed) or removed.


Quotes characters so that they may be included as part of a url.


Quotes characters so that they may be used as CSS class names. Spaces are replaced by underscores.


This is similar to html_quote, except that ' is escaped to &apos;. This is kept separate from html_quote partly for compatibility with previous code (for &apos;) and partly for future handling of non-ASCII characters.


Converts the %xx encoding from the given URL back to its original form.

Environment and Location

Functions returning information about your environment or location.


Tells you whether or not you are being run as a CGI script in a web server. For example, it would return false if the caller is running in a command-line script.


Given an IP address, this returns the associated network address, using Bugzilla-params->{'loginnetmask'}> as the netmask. This can be used to obtain data in order to restrict weak authentication methods (such as cookies) to only some addresses.


Returns either the sslbase or urlbase parameter, depending on the current setting for the ssl parameter.


Returns true if an alternate host is used to display attachments; false otherwise.


Functions for searching within a set of values.

lsearch($list, $item)

Returns the position of $item in $list. $list must be a list reference.

If the item is not in the list, returns -1.

Data Manipulation

diff_arrays(\@old, \@new)
 Description: Takes two arrayrefs, and will tell you what it takes to 
              get from @old to @new.
 Params:      @old = array that you are changing from
              @new = array that you are changing to
 Returns:     A list of two arrayrefs. The first is a reference to an 
              array containing items that were removed from @old. The
              second is a reference to an array containing items
              that were added to @old. If both returned arrays are 
              empty, @old and @new contain the same values.

String Manipulation


Removes any leading or trailing whitespace from a string. This routine does not modify the existing string.

diff_strings($oldstr, $newstr)

Takes two strings containing a list of comma- or space-separated items and returns what items were removed from or added to the new one, compared to the old one. Returns a list, where the first entry is a scalar containing removed items, and the second entry is a scalar containing added items.

wrap_hard($string, $size)

Wraps a string, so that a line is never longer than $size. Returns the string, wrapped.


Takes a bug comment, and wraps it to the appropriate length. The length is currently specified in Bugzilla::Constants::COMMENT_COLS. Lines beginning with ">" are assumed to be quotes, and they will not be wrapped.

The intended use of this function is to wrap comments that are about to be displayed or emailed. Generally, wrapped text should not be stored in the database.

find_wrap_point($string, $maxpos)

Search for a comma, a whitespace or a hyphen to split $string, within the first $maxpos characters. If none of them is found, just split $string at $maxpos. The search starts at $maxpos and goes back to the beginning of the string.


Returns true is the string contains only 7-bit characters (ASCII 32 through 126, ASCII 10 (LineFeed) and ASCII 13 (Carrage Return).


Disable utf8 on STDOUT (and display raw data instead).

clean_text($str) Returns the parameter "cleaned" by exchanging non-printable characters with spaces. Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space).

This is a method of getting localized strings within Bugzilla code. Use this when you don't want to display a whole template, you just want a particular string.

It uses the global/message.txt.tmpl template to return a string.

$message - The identifier for the message.
$vars - A hashref. Any variables you want to pass to the template.

A string.

Formatting Time


Takes a time, converts it to the desired format and appends the timezone as defined in editparams.cgi, if desired. This routine will be expanded in the future to adjust for user preferences regarding what timezone to display times in.

This routine is mainly called from templates to filter dates, see "FILTER time" in Templates.pm. In this case, $format is undefined and the routine has to "guess" the date format that was passed to $dbh->sql_date_format().


Returns a number with 2 digit precision, unless the last digit is a 0. Then it returns only 1 digit precision.



Takes a filename and returns the modification time. It returns it in the format of the "mtime" parameter of the perl "stat" function.



Takes a string and returns a crypted value for it, using a random salt.

Please always use this function instead of the built-in perl "crypt" when initially encrypting a password.


Returns an alphanumeric string with the specified length (10 characters by default). Use this function to generate passwords and tokens.



Do a syntax checking for a legal email address and returns 1 if the check is successful, else returns 0. Untaints $email if successful.


Make sure the date has the correct format and returns 1 if the check is successful, else returns 0.