diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2016-05-16 20:22:28 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2016-05-16 20:22:28 +0200 |
| commit | dd61903154fd363fb4e763d60aa155a507c2c3fc (patch) | |
| tree | c083ef9533ba5b75e04e9829a91781021fada7cc | |
| parent | abfe21fd2b8579b30d097f0868c88e6fc3928c57 (diff) | |
| download | bugzilla-dd61903154fd363fb4e763d60aa155a507c2c3fc.tar.gz bugzilla-dd61903154fd363fb4e763d60aa155a507c2c3fc.tar.xz | |
Bug 1253263 - (CVE-2016-2803) [SECURITY] XSS vulnerability in dependency graphs via bug summary
r/a=dkl
| -rwxr-xr-x | showdependencygraph.cgi | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 196d8f84e..c45bd06f3 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -55,13 +55,19 @@ sub CreateImagemap { $default = qq{<area alt="" shape="default" href="$1">\n}; } - if ($line =~ /^rectangle \((.*),(.*)\) \((.*),(.*)\) (http[^ ]*) (\d+)(\\n.*)?$/) { + if ($line =~ /^rectangle \((\d+),(\d+)\) \((\d+),(\d+)\) (http[^ ]*) (\d+)(?:\\n.*)?$/) { my ($leftx, $rightx, $topy, $bottomy, $url, $bugid) = ($1, $3, $2, $4, $5, $6); # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. + # This text is safe; it has already been escaped. my $bugtitle = $bugtitles{$bugid}; + + # The URL is supposed to be safe, because it's built manually. + # But in case someone manages to inject code, it's safer to escape it. + $url = html_quote($url); + $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } . qq{title="$bugtitle" href="$url" } . qq{coords="$leftx,$topy,$rightx,$bottomy">\n}; |