diff options
| author | David Lawrence <dkl@mozilla.com> | 2016-09-27 19:42:59 +0200 |
|---|---|---|
| committer | David Lawrence <dkl@mozilla.com> | 2016-09-27 19:42:59 +0200 |
| commit | 4ac7c1e6ed67c75b3d558dc59adf736e96a988ff (patch) | |
| tree | 710f1f779f163647ffcc11cafacd804a7ff2d0f0 | |
| parent | 8affa3eab39d5b438067f3b5b0490be597b19bbc (diff) | |
| download | bugzilla-4ac7c1e6ed67c75b3d558dc59adf736e96a988ff.tar.gz bugzilla-4ac7c1e6ed67c75b3d558dc59adf736e96a988ff.tar.xz | |
Bug 1305713 - BMO: Persistent XSS via Git commit messages in comments
| -rw-r--r-- | extensions/BMO/Extension.pm | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index ac0acd72d..8d7301f8b 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -675,7 +675,7 @@ sub bug_format_comment { match => qr/(^|\s)r(\d{4,})\b/, replace => sub { my $args = shift; - my $match = $args->{matches}->[1]; + my $match = html_quote($args->{matches}->[1]); return $args->{matches}->[0] . qq{<a href="https://viewvc.svn.mozilla.org/vc?view=rev&revision=$match">r$match</a>}; @@ -690,8 +690,8 @@ sub bug_format_comment { my $args = shift; my $preamble = html_quote($args->{matches}->[0]); my $repo = html_quote($args->{matches}->[1]); - my $text = $args->{matches}->[2]; - my $revision = $args->{matches}->[3]; + my $text = html_quote($args->{matches}->[2]); + my $revision = html_quote($args->{matches}->[3]); $repo = 'mozilla/webtools-bmo-bugzilla' if $repo =~ /^webtools\/bmo\/bugzilla/; $repo = 'bugzilla/bugzilla' if $repo =~ /^bugzilla\/bugzilla\.git/; $repo = 'bugzilla/bugzilla.org' if $repo =~ /^www\/bugzilla\.org/; @@ -707,8 +707,8 @@ sub bug_format_comment { my $args = shift; my $preamble = html_quote($args->{matches}->[0]); my $repo = html_quote($args->{matches}->[1]); - my $text = $args->{matches}->[2]; - my $revision = $args->{matches}->[3]; + my $text = html_quote($args->{matches}->[2]); + my $revision = html_quote($args->{matches}->[3]); return qq#$preamble<a href="https://github.com/$repo/commit/$revision">$text</a>#; } }); @@ -721,19 +721,19 @@ sub bug_format_comment { my $args = shift; my $match = $args->{matches}->[0]; my $uri = URI->new($match); + my $text = html_quote($match); # Only work on BMO and Bugzilla repos - my $repo = $uri->query_param_delete("p") || ''; + my $repo = html_quote($uri->query_param_delete("p")) || ''; if ($repo !~ /(webtools\/bmo|bugzilla)\//) { - return qq#<a href="$match">$match</a>#; + return qq#<a href="$text">$text</a>#; } - my $text = html_quote($match); - my $action = $uri->query_param_delete("a") || ''; - my $file = $uri->query_param_delete("f") || ''; - my $frag = $uri->fragment || ''; - my $from_rev = $uri->query_param_delete("h") || ''; - my $to_rev = $uri->query_param_delete("hb") || ''; + my $action = html_quote($uri->query_param_delete("a")) || ''; + my $file = html_quote($uri->query_param_delete("f")) || ''; + my $frag = html_quote($uri->fragment) || ''; + my $from_rev = html_quote($uri->query_param_delete("h")) || ''; + my $to_rev = html_quote($uri->query_param_delete("hb")) || ''; if ($frag) { $frag =~ tr/l/L/; |