summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjustdave%syndicomm.com <>2001-07-04 16:05:59 +0200
committerjustdave%syndicomm.com <>2001-07-04 16:05:59 +0200
commitf208e298e2ac9836c8138449a0691f6deb850c4a (patch)
treea6735fb37995456992708da6408226c5188b198b
parenta9ead7b9778b67cc02ef2b3df51d08a5f88d4d52 (diff)
downloadbugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.gz
bugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.xz
Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data
Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk> r= justdave@syndicomm.com
-rw-r--r--CGI.pl9
-rw-r--r--defparams.pl6
-rw-r--r--globals.pl1
3 files changed, 10 insertions, 6 deletions
diff --git a/CGI.pl b/CGI.pl
index 09ab23c07..d7782f7e8 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -659,7 +659,7 @@ sub quietly_check_login() {
sub CheckEmailSyntax {
my ($addr) = (@_);
my $match = Param('emailregexp');
- if ($addr !~ /$match/) {
+ if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) {
print "Content-type: text/html\n\n";
# For security, escape HTML special characters.
@@ -669,8 +669,11 @@ sub CheckEmailSyntax {
print "The e-mail address you entered\n";
print "(<b>$addr</b>) didn't match our minimal\n";
print "syntax checking for a legal email address.\n";
- print Param('emailregexpdesc');
- print "<p>Please click <b>back</b> and try again.\n";
+ print Param('emailregexpdesc') . "\n";
+ print "It must also not contain any of these special characters: " .
+ "<tt>\\ ( ) &amp; &lt; &gt; , ; : \" [ ]</tt> " .
+ "or any whitespace.\n";
+ print "<p>Please click <b>Back</b> and try again.\n";
PutFooter();
exit;
}
diff --git a/defparams.pl b/defparams.pl
index 1b99751bc..0bb47d59f 100644
--- a/defparams.pl
+++ b/defparams.pl
@@ -529,14 +529,14 @@ DefParam("expectbigqueries",
0);
DefParam("emailregexp",
- 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is <tt>^[^@, ]*$</tt>, which means "local usernames, no @ allowed.',
+ 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is <tt>^[^@]*$</tt>, which means "local usernames, no @ allowed.',
"t",
- q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:);
+ q:^[^@]*@[^@]*\\.[^@]*$:);
DefParam("emailregexpdesc",
"This describes in english words what kinds of legal addresses are allowed by the <tt>emailregexp</tt> param.",
"l",
- "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces.");
+ "A legal address must contain exactly one '\@', and at least one '.' after the \@.");
DefParam("emailsuffix",
"This is a string to append to any email addresses when actually sending mail to that address. It is useful if you have changed the <tt>emailregexp</tt> param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.",
diff --git a/globals.pl b/globals.pl
index 81efb4745..736cb431a 100644
--- a/globals.pl
+++ b/globals.pl
@@ -695,6 +695,7 @@ sub DBname_to_id {
sub DBNameToIdAndCheck {
my ($name, $forceok) = (@_);
+ $name = html_quote($name);
my $result = DBname_to_id($name);
if ($result > 0) {
return $result;