diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:24:20 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:24:20 +0100 |
| commit | 564fb6842b0d0be49a58e1ed30a94b8f0a2c511e (patch) | |
| tree | 7c948449a19374c1e489e6fb71ea2d530afe9029 | |
| parent | e2c8da0dfc534ffca6232cc7d370299d5d446604 (diff) | |
| download | bugzilla-564fb6842b0d0be49a58e1ed30a94b8f0a2c511e.tar.gz bugzilla-564fb6842b0d0be49a58e1ed30a94b8f0a2c511e.tar.xz | |
Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
r=glob a=LpSolit
| -rw-r--r-- | Bugzilla/Template.pm | 14 | ||||
| -rwxr-xr-x | show_bug.cgi | 11 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 5 |
3 files changed, 18 insertions, 12 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 81d01b426..f70224a9c 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -96,12 +96,15 @@ sub get_format { my $self = shift; my ($template, $format, $ctype) = @_; - $ctype ||= 'html'; - $format ||= ''; + $ctype //= 'html'; + $format //= ''; - # Security - allow letters and a hyphen only - $ctype =~ s/[^a-zA-Z\-]//g; - $format =~ s/[^a-zA-Z\-]//g; + # ctype and format can have letters and a hyphen only. + if ($ctype =~ /[^a-zA-Z\-]/ || $format =~ /[^a-zA-Z\-]/) { + ThrowUserError('format_not_found', {'format' => $format, + 'ctype' => $ctype, + 'invalid' => 1}); + } trick_taint($ctype); trick_taint($format); @@ -127,6 +130,7 @@ sub get_format { return { 'template' => $template, + 'format' => $format, 'extension' => $ctype, 'ctype' => Bugzilla::Constants::contenttypes->{$ctype} }; diff --git a/show_bug.cgi b/show_bug.cgi index 7b9157959..3956ce4b3 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -22,9 +22,11 @@ my $vars = {}; my $user = Bugzilla->login(); +my $format = $template->get_format("bug/show", scalar $cgi->param('format'), + scalar $cgi->param('ctype')); + # Editable, 'single' HTML bugs are treated slightly specially in a few places -my $single = !$cgi->param('format') - && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html'); +my $single = !$format->{format} && $format->{extension} eq 'html'; # If we don't have an ID, _AND_ we're only doing a single bug, then prompt if (!$cgi->param('id') && $single) { @@ -34,9 +36,6 @@ if (!$cgi->param('id') && $single) { exit; } -my $format = $template->get_format("bug/show", scalar $cgi->param('format'), - scalar $cgi->param('ctype')); - my (@bugs, @illegal_bugs); my %marks; @@ -126,5 +125,5 @@ $vars->{'displayfields'} = \%displayfields; print $cgi->header($format->{'ctype'}); -$template->process("$format->{'template'}", $vars) +$template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error()); diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index c9448a503..6d03eaa4b 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -741,7 +741,10 @@ [% title = "Format Not Found" %] The requested format <em>[% format FILTER html %]</em> does not exist with a content type of <em>[% ctype FILTER html %]</em>. - + [% IF invalid %] + Both parameters must contain letters and hyphens only. + [% END %] + [% ELSIF error == "flag_type_sortkey_invalid" %] [% title = "Flag Type Sort Key Invalid" %] The sort key <em>[% sortkey FILTER html %]</em> must be an integer |