diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-22 18:56:39 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-22 18:56:39 +0100 |
| commit | e69201a466d40d563d3c28a599c1569cfca9b471 (patch) | |
| tree | 2b7199c0943f2cdb93097916f8355b49b9d3ede7 | |
| parent | eb1357fe03bb47cdd479cf533022e11dd6bd22e0 (diff) | |
| download | bugzilla-e69201a466d40d563d3c28a599c1569cfca9b471.tar.gz bugzilla-e69201a466d40d563d3c28a599c1569cfca9b471.tar.xz | |
Bug 1221518: (CVE-2015-8508) [SECURITY] XSS in dependency graphs when displaying the bug summary
r=gerv a=dkl
| -rwxr-xr-x | showdependencygraph.cgi | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index a023dd77d..27e063f62 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -61,7 +61,7 @@ sub CreateImagemap { # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. - my $bugtitle = html_quote(clean_text($bugtitles{$bugid})); + my $bugtitle = $bugtitles{$bugid}; $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } . qq{title="$bugtitle" href="$url" } . qq{coords="$leftx,$topy,$rightx,$bottomy">\n}; @@ -180,13 +180,16 @@ foreach my $k (@bug_ids) { # Retrieve bug information from the database my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k); - # Resolution and summary are shown only if user can see the bug - if (!$user->can_see_bug($k)) { + $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); + + # The bug summary is shown only if the user can see the bug. + if ($user->can_see_bug($k)) { + $summary = html_quote(clean_text($summary)); + } + else { $summary = ''; } - $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); - my @params; if ($summary ne "" && $cgi->param('showsummary')) { |