summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-10-15 06:25:33 +0200
committerlpsolit%gmail.com <>2006-10-15 06:25:33 +0200
commitef822794d93408e154ad0835c127485a537fa186 (patch)
treefaea2054477e743015dbc3bce25c448fb6da9cb8
parent79b572263ea0dfcc1638757057825c3e6a2ee38d (diff)
downloadbugzilla-ef822794d93408e154ad0835c127485a537fa186.tar.gz
bugzilla-ef822794d93408e154ad0835c127485a537fa186.tar.xz
Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when "doall" is set - Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit a=justdave
-rw-r--r--docs/rel_notes.txt7
-rwxr-xr-xshowdependencygraph.cgi4
2 files changed, 6 insertions, 5 deletions
diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index f70c508a4..98ddc4da8 100644
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -577,11 +577,10 @@ every login cookie Bugzilla has ever given out.)
Version 2.22.1
--------------
-The Bugzilla team fixed two Information Leaks and two Cross-Site
+The Bugzilla team fixed two Information Leaks and three Cross-Site
Scripting vulnerabilities that existed in versions of Bugzilla
-prior to 2.22.1. None of them are considered to be of critical
-severity, but we still strongly recommend that you update any
-2.22 installation to 2.22.1.
+prior to 2.22.1. We strongly recommend that you update any 2.22
+installation to 2.22.1, to be protected from these vulnerabilities.
In addition, we have made an enhancement to security in this version
of Bugzilla. In previous versions, it was possible for malicious
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 00442c4f3..e483fd0f8 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -276,7 +276,9 @@ foreach my $f (@files)
}
}
-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
$vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
$vars->{'doall'} = $cgi->param('doall');
$vars->{'rankdir'} = $rankdir;