diff options
| author | justdave%syndicomm.com <> | 2001-07-04 16:05:59 +0200 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-07-04 16:05:59 +0200 |
| commit | f208e298e2ac9836c8138449a0691f6deb850c4a (patch) | |
| tree | a6735fb37995456992708da6408226c5188b198b | |
| parent | a9ead7b9778b67cc02ef2b3df51d08a5f88d4d52 (diff) | |
| download | bugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.gz bugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.xz | |
Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data
Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk>
r= justdave@syndicomm.com
| -rw-r--r-- | CGI.pl | 9 | ||||
| -rw-r--r-- | defparams.pl | 6 | ||||
| -rw-r--r-- | globals.pl | 1 |
3 files changed, 10 insertions, 6 deletions
@@ -659,7 +659,7 @@ sub quietly_check_login() { sub CheckEmailSyntax { my ($addr) = (@_); my $match = Param('emailregexp'); - if ($addr !~ /$match/) { + if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) { print "Content-type: text/html\n\n"; # For security, escape HTML special characters. @@ -669,8 +669,11 @@ sub CheckEmailSyntax { print "The e-mail address you entered\n"; print "(<b>$addr</b>) didn't match our minimal\n"; print "syntax checking for a legal email address.\n"; - print Param('emailregexpdesc'); - print "<p>Please click <b>back</b> and try again.\n"; + print Param('emailregexpdesc') . "\n"; + print "It must also not contain any of these special characters: " . + "<tt>\\ ( ) & < > , ; : \" [ ]</tt> " . + "or any whitespace.\n"; + print "<p>Please click <b>Back</b> and try again.\n"; PutFooter(); exit; } diff --git a/defparams.pl b/defparams.pl index 1b99751bc..0bb47d59f 100644 --- a/defparams.pl +++ b/defparams.pl @@ -529,14 +529,14 @@ DefParam("expectbigqueries", 0); DefParam("emailregexp", - 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is <tt>^[^@, ]*$</tt>, which means "local usernames, no @ allowed.', + 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is <tt>^[^@]*$</tt>, which means "local usernames, no @ allowed.', "t", - q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:); + q:^[^@]*@[^@]*\\.[^@]*$:); DefParam("emailregexpdesc", "This describes in english words what kinds of legal addresses are allowed by the <tt>emailregexp</tt> param.", "l", - "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces."); + "A legal address must contain exactly one '\@', and at least one '.' after the \@."); DefParam("emailsuffix", "This is a string to append to any email addresses when actually sending mail to that address. It is useful if you have changed the <tt>emailregexp</tt> param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.", diff --git a/globals.pl b/globals.pl index 81efb4745..736cb431a 100644 --- a/globals.pl +++ b/globals.pl @@ -695,6 +695,7 @@ sub DBname_to_id { sub DBNameToIdAndCheck { my ($name, $forceok) = (@_); + $name = html_quote($name); my $result = DBname_to_id($name); if ($result > 0) { return $result; |