diff options
author | lpsolit%gmail.com <> | 2005-12-08 17:55:41 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2005-12-08 17:55:41 +0100 |
commit | fa5ed8f8630277c2560df1bf9fefdab30dec022e (patch) | |
tree | 8ec1013aa7ed52d3c8c1d0d880c4b316bd877e8b | |
parent | 73997d5064384dd64c82a714947644f4ffcc4366 (diff) | |
download | bugzilla-fa5ed8f8630277c2560df1bf9fefdab30dec022e.tar.gz bugzilla-fa5ed8f8630277c2560df1bf9fefdab30dec022e.tar.xz |
Bug 238780: editversions.cgi should reject newline characters (and convert them to whitespaces) - Patch by Paul <pdemarco@ppg.com> r=LpSolit a=justdave
-rw-r--r-- | Bugzilla/Util.pm | 12 | ||||
-rwxr-xr-x | editversions.cgi | 7 |
2 files changed, 18 insertions, 1 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 21885bbdc..31a1052e4 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -42,7 +42,7 @@ use base qw(Exporter); format_time format_time_decimal validate_date file_mod_time is_7bit_clean bz_crypt generate_random_password - validate_email_syntax); + validate_email_syntax clean_text); use Bugzilla::Config; use Bugzilla::Constants; @@ -390,6 +390,12 @@ sub is_7bit_clean { return $_[0] !~ /[^\x20-\x7E\x0A\x0D]/; } +sub clean_text { + my ($dtext) = shift; + $dtext =~ s/[\x00-\x1F\x7F]/ /g; # change control characters to spaces + return $dtext; +} + 1; __END__ @@ -639,6 +645,10 @@ into the string. Returns true is the string contains only 7-bit characters (ASCII 32 through 126, ASCII 10 (LineFeed) and ASCII 13 (Carrage Return). +=item C<clean_text($str)> +Returns the parameter "cleaned" by exchanging non-printable characters with spaces. +Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space). + =back =head2 Formatting Time diff --git a/editversions.cgi b/editversions.cgi index 396a6e605..eae1001ca 100755 --- a/editversions.cgi +++ b/editversions.cgi @@ -128,6 +128,9 @@ if ($action eq 'new') { # Cleanups and valididy checks $version_name || ThrowUserError('version_blank_name'); + # Remove unprintable characters + $version_name = clean_text($version_name); + my $version = new Bugzilla::Version($product->id, $version_name); if ($version) { ThrowUserError('version_already_exists', @@ -240,6 +243,10 @@ if ($action eq 'edit') { if ($action eq 'update') { $version_name || ThrowUserError('version_not_specified'); + + # Remove unprintable characters + $version_name = clean_text($version_name); + my $version_old_name = trim($cgi->param('versionold') || ''); my $version_old = Bugzilla::Version::check_version($product, |