summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2016-03-15 17:07:20 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2016-03-15 17:07:20 +0100
commit27daf484e99ea638f10beec81f41a2bcb412fd4d (patch)
tree088d75d8a696cd767b9c595a565ecb3d8e878bf1
parent53d6ba4398b0e27216d5152dea3fbe0a9f0e1572 (diff)
downloadbugzilla-27daf484e99ea638f10beec81f41a2bcb412fd4d.tar.gz
bugzilla-27daf484e99ea638f10beec81f41a2bcb412fd4d.tar.xz
Bug 1253267: DOT injection vulnerability in dependency graphs when long bug summaries are wrapped
r=dkl
-rwxr-xr-xshowdependencygraph.cgi3
1 files changed, 3 insertions, 0 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index e692167de..196d8f84e 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -199,6 +199,9 @@ foreach my $k (@bug_ids) {
utf8::encode($summary) if utf8::is_utf8($summary);
$summary = wrap_comment($summary);
$summary =~ s/([\\\"])/\\$1/g;
+ # Newlines must be escaped too, to not break the .map file
+ # and to prevent code injection.
+ $summary =~ s/\n/\\n/g;
push(@params, qq{label="$k\\n$summary"});
}